0% found this document useful (0 votes)

811 views

LAB HANDOUT - Tenable - SC Specialist Course

Uploaded by

net flix

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

811 views

LAB HANDOUT - Tenable - SC Specialist Course

Uploaded by

net flix

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 113

Lab Exercises and Activities

Vulnerability Management Vocabulary

It is important for you to become familiar with the terminology we are going to use during this course.
Please refer to and use the Vulnerability Management Vocabulary handout as a reference.

Access control Controls who has access to an endpoint, device, file share, network share or online
service as well as the information it stores.

Asset A physical or virtual device within an organization's systems and network

infrastructure.

Authentication The process to verify that someone is who they claim to be when they try to access
a computing resource.

DMZ Segment of a network where servers accessed by less trusted users are isolated.
The name is derived from the term “demilitarized zone.”

Exploit A software tool designed to take advantage of a flaw in a computer system,

typically for malicious purposes such as installing malware.

Hacker Someone who uses a computer system to gain unauthorized access to another
system for data or who makes another system unavailable.

Intrusion detection A device or software application that monitors a network or systems for malicious
system (IDS) activity or policy violations.

Intrusion prevention Intrusion detection system that also blocks when policy violations have occurred.
system (IPS)

Malware Software intended to infiltrate and damage or disable computers. Shortened form
of “malicious software.”

Remediation The process by which organizations identify and resolve threats to their systems.

Risk The possibility that an event will occur and adversely affect the achievement of an
objective.

Risk assessment The process of identifying, analyzing and evaluating risk.

Security control Something that modifies or reduces one or more security risks.

Security information A solution that collects, analyzes, and correlates network, event and log data for
and event the detection of suspicious activity and compliance.
management (SIEM)

Threat Something that could cause harm to a system or organization.

Threat actor Any individual or group of individuals that attempts to or successfully conducts
malicious activities against enterprises, whether intentionally or unintentionally.

Two-factor A method of confirming identity utilizing something known (like a password) and
authentication something possessed or a part of the individual (like entering a code sent via SMS
or a thumbprint recognition).

Virus Malware that is loaded onto a computer and then runs without the user’s
knowledge, or without knowledge of its full effects.

Vulnerability A flaw or weakness that can be used to attack a system or organization.

Lab Exercise 1: Welcome to Tenable

Welcome to your instructor-led course! These lab exercises will reinforce key concepts discussed in class, and
provide a hands-on opportunity to practice them.

Before we get too far into the course, we want to make sure you can log in to Tenable University with the
provided credentials and access all the course materials. At the end of the course, you will be able to
download a Certificate of Attendance. The name on that certificate comes from your profile name, so we need
to verify that it is set correctly.

TOTAL ESTIMATED LAB TIME: 5:00 MINUTES

Part 1 - Update User Profile in Tenable University and Access Course Materials
In this exercise, you will log in to Tenable University, update your profile and set the minimum settings for your
lab environment. Next, you will access the slide handouts and lab exercises to verify you can open and use
them. Last, you will verify you can access the feedback survey.

Part 1: Task 1 - Login to Tenable University
Log into Tenable University with the provided credentials in order to confirm your name and time zone.

Step-by-step Instructions:

1. Navigate to https://university.tenable.com/ using an HTML5-compliant browser.

2. Click the M
enu button (three lines in the upper left corner) from the main dashboard.

3. Click the E
dit (pencil) icon.

4. Click My Profile.

5. Verify both your F irst Name and Last Name appear correctly.

6. Fill out any other required fields marked by a red asterisk (*) .

7. Scroll down and click Preferences.

8. View the Time Zone setting and change if necessary.

9. Click Save Changes if you made any modifications.

10. Click the Tenable logo in the upper left corner.

Part 1: Task 2 - Access Slides, Labs and Handouts

Step-by-step Instructions:

1. Find and click the icon that represents your current course located under the heading
Instructor-led Courses.

2. Find and click your current course.

3. Confirm the title of the course is correct.

4. Click CONTENT.

1. The last item in the last folder is the link for the student Feedback Survey. If you do not see the
student feedback survey, please let your instructor know as soon as possible.

End of Exercises

Lab Exercise 2: Lab Environment and Certification Process

At the end of this exercise, you will be able to:
● Confirm the connection to the Tenable Core + Tenable.sc
● Confirm the connection to the Tenable Core + Nessus infrastructure

TOTAL ESTIMATED LAB TIME: 05:00 MINUTES

Part 1 - Confirm Connectivity
Confirm you can connect to TenableCore + Tenable.sc.

Part 1: Task 1 - Connect Tenable Core + Tenable.sc
Connect to Tenable Core + Tenable.sc using your web browser.

Step-by-step Instructions:

1. Check your email as you should have received an email from u [email protected] with lab
environment information. The subject line is T
enable University - Lab Access Information.

2. Use your web browser to connect to the host labeled Tenable Core Tenable.sc on port 8000 using
HTTPS in a new incognito/private browsing window.

3. DO NOT sign in at this time.

Part 1: Task 2 - Connect Tenable Core + Nessus
Connect to Tenable Core + Nessus using your web browser.

Step-by-step Instructions:

1. Use your web browser to connect to the host Tenable Core Nessus on port 8000 with HTTPS in a new
incognito/private browsing window.

2. DO NOT sign in at this time.

End of Exercises

Activity Exercise Scenario: Deployment Considerations

Activity
Below is a network diagram of your organization's network. Using the diagram, indicate where the Tenable
Products should be placed. If there are firewall rules and/or port forwarding rules, please annotate them in
the notes at the bottom.

The Internet Nothing

Nothing

Headquarters Chicago Sales Team

Nothing

Executive Suites Firewall Firewall

Nothing Nothing

DMZ
Nothing

Nothing

Sales

Nothing
Nothing Nothing

Internal Servers Network Operations

Nothing

NOTES:

Lab Exercise 5: Nessus Deployment

At the end of this exercise, you will be able to:
● Connect to a Tenable Core + Nessus instance
● Configure the instance for use with Tenable.sc

Tenable Core + Nessus Management Interface:
● Sign into and set the initial password for the Tenable Core + Nessus Management interface
● Enable Nessus
● Update the software on Tenable Core + Nessus

Nessus:
● Connect to Nessus on port 8834
● Configure Nessus to be used by Tenable.sc

If you complete the advanced topics, you will be able to:
● Set the update window for Nessus
● Enable SNMP on the Nessus host

TOTAL ESTIMATED LAB TIME: 20:00 MINUTES

Part 1 - Configure Tenable Core + Nessus
Your Hypervisor management team has deployed a Tenable Core + Nessus in their Headquarters, and it needs
to be configured so it can be connected to Tenable.sc.

Part 1: Task 1 - Sign into Tenable Core + Nessus
Sign into TenableCore+Nesus on the management interface

Step-by-step Instructions:

1. Using your web browser, connect to the host Tenable Core + Nessus on p
ort 8000.

2. Log in with the credentials provided in your lab access email.

3. Select R
euse my password for privileged tasks.

4. Click L
ogin.

5. Click N
etworking.

6. Under I nterfaces, note the IP address of the Nessus scanner for interface e
th0. Ignore the /24 and just
note the IP address.

7. Click S
ystem.

Challenge Questions:

1. Look at the graphs on the right. How many cores does this Nessus scanner have? Is that enough?

2. Click the word M

emory. How much memory does this host have? Is it enough?

Part 1: Task 2 - Update Software
Use the Management interface to update the operating system and Nessus software.

1. In the left column, click S

oftware Updates.

2. Click C
heck for Updates.

3. If updates are available, install the updates.

4. Click U
pdate Management to review the current update policy.

Challenge Questions:

1. The default configuration is set to update automatically at boot time, and then update once per day.
Are there any reasons you might not want it to update once per day at the time listed?

2. Does this update schedule impact the plugin updates?

Part 2 - Configure Nessus for Connectivity to Tenable.sc
Once the Nessus Management interface has been configured, Nessus must be configured to accept connections
from Tenable.sc.

Part 2: Task 1 - Connect to Nessus and Complete Installation Wizard
Connect to the Nessus scanner on port 8834 using your web browser and complete the wizard.

Step-by-step Instructions:

1. Click N
essus.

2. Find the URL to the right of U

RLs. Copy and save it in a local text editor.

3. Click the URL to the right of URLs. (You may have to open this in an incognito/private browsing window
to avoid certificate errors.)

4. Click A
dvanced.

5. Click P
roceed to…

6. When the Nessus window loads, select M

anaged Scanner.

7. Click C
ontinue.

8. In the Managed by box select T

enable.sc.

9. Click C
ontinue.

10. In the Username box type admin

11. In the Password box create a password. The password must be 14 characters with one uppercase
letter, one lowercase letter, one number and one special character.

12. Click S
ubmit.

13. Wait for the Nessus scanner to finish compiling plugins.

14. Click S
canner Health.

1. Look at the scanner health. Do you see any warnings?

2. Click A
dvanced. Find the line that says Login Banner. Why would you want to set a login banner on the
Nessus scanner?

Optional Advanced Problems

This section is optional and can be completed during any free time you may have available while taking this
course.

TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 5:00 MINUTES

Task 1 - Set Nessus Update Window
The company plans to perform activities scans from midnight to 8:00AM each day. Configure Tenable Core +
Nessus so it does not update during this window.

Task 2 - Enable SNMP
The company has other security tools that use SNMP for monitoring. Enable SNMP on Tenable Core + Nessus.

End of Exercises

Part 1: Task 1
1. Look at the graphs on the right. How many cores does this Nessus scanner have? Is that enough?
● Two. No. This host does not have the minimum recommended cores.
2. Click the word Memory. How much memory does this host have? Is it enough?
● 8 GB. Yes.

Part 1: Task 2
1. The default configuration is set to update automatically at boot time, and then update once per day.
Are there any reasons you might not want it to update once per day at the time listed?
● There are several reasons, such as maintenance windows, or when active scans are running.
2. Does this update schedule impact the plugin updates?
● No. Plugins are managed by Tenable.sc.

Part 2: Task 1
1. Look at the scanner health, do you see any warnings?
● Yes. There is a warning for not meeting the minimum recommended number of CPUs/cores.
2. Click Advanced. Find the line that says Login Banner. Why would you want to set a login banner on the
Nessus scanner?
● Even though users won’t typically be signing into this machine, many organizations have
policies that mandate banners on every asset even if they are not being actively used. In
addition, you could also put a banner in place indicating that this Nessus scanner is being
managed by Tenable.sc, and scans and data should be accessed through Tenable.sc, not here.

Lab Exercise 6: Tenable.sc Deployment

At the end of this exercise, you will be able to:
● Perform an initial configuration of Tenable Core + Tenable.sc

Tenable Core + Tenable.sc Management Interface:
● Perform an initial configuration of Tenable Core + Tenable.sc
● Identify the IP address of Tenable.sc
● Check the firewall rules for Tenable.sc
● Create a Diagnostic Report for Tenable.sc

Tenable.sc:
● Complete the Tenable.sc installation wizard
● Check the status of the Nessus scanner
● Identify the most recently updated plugin

If you complete the advanced topics, you will be able to:
● Create a banner for Tenable.sc
● Set scanning to use IP randomization

Note: T he key file for this exercise is available in the content on Tenable University. The activation code for
this exercise will be provided by your instructor.

TOTAL ESTIMATED LAB TIME: 20:00 MINUTES

Part 1 - Configure Tenable Core + Tenable.sc
Your Hypervisor team has deployed a Tenable Core + Tenable.sc in their Security Operations Center (SOC), and it
needs to be configured.

Part 1: Task 1 - Sign into Tenable Core + Tenable.sc
Sign into the management interface on Tenable core Tenable.sc and perform the initial setup.

Step-by-step Instructions:

1. Using your web browser connect to the host Tenable Core + Tenable.sc on p
ort 8000.

1. Log in with the credentials provided in your lab access email.

2. Select R
euse my password for privileged tasks.

3. Click L
ogin.

4. Click N
etworking.

Challenge Questions:

1. What is the IP address of Tenable.sc?

2. Is the firewall enabled on Tenable.sc?

3. Click the word F irewall. What is the rule for 443? Is this good practice?

4. What is the rule for port 22? Is this good practice?

1. On the left, click D

iagnostic Reports.

2. Click C
reate Report.

3. Wait for the report to complete.

4. Click D
ownload Report.

5. After the report has downloaded, click Close.

Challenge Questions:

1. What is the format of the Diagnostic Report?

2. Does this report contain any privileged information?

Part 2 - Configure Tenable.sc
Once the Nessus Management interface has been configured, you must connect to Tenable.sc and go through
the setup wizard.

Part 2: Task 1 - Connect to Nessus and Complete Installation Wizard
Connect to the Nessus scanner on port 8834 using your web browser and complete the wizard.

Step-by-step Instructions:

1. Click T
enable.sc.

2. Click the URL to the right of URLs. NOTE: You may have to open this link in an incognito/private
browsing window to avoid certificate errors.

3. Click A
dvanced.

4. Click P
roceed to…

5. When the Tenable.sc Q

uick Setup Guide loads, click Next.

6. Click U
pdate License.

7. Click c hoose file and select the L

icense File provided by the Instructor.

8. Click A
ctivate.

9. Click the +
to the right of Nessus Scanner.

10. In the Register box provide the A

ctivation Key provided by your instructor.

11. Click R
egister.

12. After the green c heck mark appears, click Next in the top right corner.

13. In the Name box type HQ Nessus

15. In the Username box type admin

16. In the Password box enter the password you created for Nessus in the previous lab.

17. Click N
ext.

18. In the Repository box type V

ulnerabilities

19. In the IP ranges box type 1 0.0.2.0/24

20. Select the radio button for Generate Trend Data.

21. Click N
ext.

22. In the Name b

ox type Tenable Acme

23. In the Restricted Scan Range box type 1 0.0.2.0-10.0.2.3

24. Click N
ext.

25. We do not have LDAP server information right now, so click Skip.

26. In the First Name box type J ohn

27. In the Last Name box type D

28. In the Username box type jdoe

29. In the Password box type T

enable123!

30. In the Confirm Password box type Tenable123!

31. In the Password box underneath Administrator, type T

enable123!

32. In the Confirm Password box underneath Administrator and type Tenable123!

33. Click N
ext.

34. Deselect the toggle button Enable Usage Statistics and click N
ext.

35. Click C
onfirm.

36. Click C
omplete Setup.

Challenge Questions:

1. Look to the right of HQ Nessus underneath Scanner status. What is the status?

2. Look in the lower right corner where it says Latest Plugins. What is the ID of the first plugin?

End of Exercises

Part 1: Task 1
1. What is the IP address of Tenable.sc?
● 10.0.2.246
2. Is the firewall enabled on Tenable.sc?
● Yes
3. Click the word Firewall. What is the rule for 443? Is this good practice?
● The rule for 443 is open to any IP. No, you should limit the connectivity for port 443 to only
hosts that are going to need to connect to the Tenable.sc console.

Part 1: Task 2
1. What is the format of the Diagnostic Report?
● Compressed tar
2. Does this report contain any privileged information?
● Yes, it contains detailed information about the Tenable.sc configuration.

Part 2: Task 1
1. Look to the right of HQ Nessus underneath Scanner status. What is the status?
● Updating Plugins
2. Look in the lower right corner where it says Latest Plugins. What is the ID of the first plugin?
● 10001

Lab Exercise 7: User Management

In this exercise you will create groups and users in Tenable.sc.

At the end of this exercise you will be able to:
● Create static asset lists
● Create groups with limited visibility based upon static asset list
● Create roles with specific permissions

If you complete the advanced topics, you will be able to:
● Create groups with visibility based upon asset criteria
● Adjust permissions that a user has with respect to groups they are not a member of

TOTAL ESTIMATED LAB TIME: 10:00 MINUTES

Part 1 - Asset Lists and Groups
Your organization has personnel in Headquarters, Los Angeles and Chicago. They are responsible for different
assets. The IP ranges of the networks for these networks are:
● Headquarters: 10.0.2.0/24
● Los Angeles: 10.0.5.0/22
● Chicago: 192.168.1.0/24

Part 1: Task 1 - Create Asset Lists for Headquarters, Los Angeles and Chicago
Sign in as the Security Manager, jdoe, with a password of Tenable123! Create three static asset lists for
Headquarters, Los Angeles and Chicago.

Step-by-step Instructions:

1. Open a web browser to T

enable Core + Tenable.sc using the information from your email.

2. Log in with the credentials you created In Module 6, Part 1, Task 1, steps 6 and 7.

3. Click T
enable.sc in the menu at left.

4. Click the URL that appears for Tenable.sc.

5. In the User Name b

ox, type jdoe

6. In the Password box, type Tenable123!

7. Click A
ssets.

8. In the upper right corner, click +

Add.

9. Click S
tatic IP List.

10. In the Name box type Headquarters

11. In the Tag box type Group Asset Lists

12. In the IP Addresses box type 10.0.2.0/24

13. Click S
ubmit.

14. Click +
Add in the upper right corner.

15. Click S
tatic IP List.

17. Click the down-arrow to the right of the T

ag box and select G
roup Asset Lists.

18. In the IP Addresses box, type 10.0.5.0/22

19. Click S
ubmit.

20. Click +
Add in the upper right corner.

21. Click S
tatic IP List.

22. In the Name box, type C

hicago

23. Click the down-arrow to the right of the T

ag box and select G
roup Asset Lists.

24. In the IP Addresses box, type 192.168.1.0/24

25. Click S
ubmit.

Challenge Questions:

1. Click the <

on the right side to open the filter. What could you filter on to display only the asset lists
you just created? Click the > on the right side to close the filter.

2. Click the g
ear icon to the right of H
eadquarters and select View. How many viewable IPs does it show?
Why?

Part 1: Task 2 - Create Groups for Headquarters, Los Angeles and Chicago
Use the three asset lists to create groups with visibility limited to each asset list.

Step-by-step Instructions:

1. Click U
sers.

2. Click G
roups.

3. Click +
Add in the upper right corner.

4. In the Name box, type H

eadquarters

5. In the Search box to the right of Viewable Hosts, type Group

6. Check the box to the left of H

eadquarters.

7. Check the box to the left of V

ulnerabilities.

8. Click S
ubmit.

9. Click +
Add in the upper right corner.

10. In the Name box, type L

os Angeles

11. In the Search box to the right of Viewable Hosts, type Group

12. Check the box to the left of L

os Angeles.

13. Check the box to the left of V

ulnerabilities.

14. Click S
ubmit.

16. In the Name box type Chicago

17. In the Search box to the right of Viewable Hosts, type Group

18. Check the box to the left of C

hicago.

19. Check the box to the left of V

ulnerabilities.

20. Click S
ubmit.

Challenge Questions:

1. Can a user in the Full Access Group see the scan policies created by any of the three regional groups?

2. If you wanted to create a scan policy that was available to all groups, how could you do it?

Part 2 - Custom Roles and Users
Sam Smith is on the Security team in Chicago, but doesn’t have any Tenable training. The Security Supervisor in
Chicago would like to give Sam the ability to launch scans in Chicago, but not create scan policies or upload
audit files. Sam is also not responsible for managing blackout windows.

Part 2: Task 1 - Create a Custom Role
Create a custom role that can launch scans and create alerts.

Step-by-step Instructions:

1. Click U
sers.

2. Select R
oles.

3. Click +
Add in the upper right corner.

4. In the Name box, type J unior Security Analyst

5. Turn on the slider to the right of Create Scans.

6. Scroll down and turn off the slider to the right of S

hare Objects between Groups.

7. Scroll down and turn on the slider to the right of C

reate Alerts.

8. Click S
ubmit.

Challenge Questions:

1. Click the g
ear icon to the right of J unior Security Analyst and select on V
iew. Look in the box labeled
Scanning Permissions. Do you see any permission here that you didn’t set? If so, what is it, and what
does it allow the user to do?

2. If you have a standalone Nessus scanner that you are using for an air-gapped network and you wanted
this role to be able to take the results from that scanner and place the data in Tenable.sc, what
permission would need to be enabled?

1. Click U
sers and select Users.

2. Click +
Add in the upper right corner.

3. In the First Name box, type S

4. In the Last Name box, type S

mith

5. In the Username box, type ssmith

6. In the Password box, type C

hangeMe20!

7. In the Confirm Password box type, ChangeMe20!

8. Turn on the slider next to User Must Change Password.

9. In the Time Zone box type C

hicago. Then, select A
merica/Chicago.

10. In the Role box select J unior Security Analyst.

11. In the Group box select Chicago.

12. Click S
ubmit.

Challenge Questions:

1. If Sam moved to Los Angeles and started working in the Los Angeles office as a security officer, what
would we do with his account?

2. If Sam signs in right now, can he launch a scan of the Chicago office?

Optional Advanced Problems

This section is optional and can be completed during any free time you may have available while taking this
course.

TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 5:00 MINUTES

Task 1 - Create New Group
The company has a Linux System administrative team that manages all the Linux hosts across all three
offices. Create a group named Linux Group that only has visibility to Linux hosts.

Task 2 - Remove Permissions
Check the permissions on the account John Doe. If he has any permissions to manage users in Chicago or Los
Angeles, remove those permissions.

End of Exercises

Part 1: Task 1
1. Click the < on the right side to open the filter. What could you filter on to display only the asset lists
you just created? Click the > on the right side to close the filter.
● Tag = Group Asset Lists
2. Click the gear icon to the right of Headquarters and select View. How many viewable IPs does it show?
Why?
● 0. When we defined the repository in the previous lab the IP range did not include
192.168.1.0/24 so there cannot be any HQ IPs in this repository. We will fix that in the next
module.

Part1: Task 2
1. Can a user in the Full Access Group see the scan policies created by any of the three regional groups?
● No, not unless those policies are explicitly shared to the Full Access Group.
2. If you wanted to create a scan policy that was available to all groups, how could you do it?
● There are two ways that this can be achieved. You can select a given scan policy and share it
with other groups, OR you can create the scan policy using the administrator account. Scan
Policies created as the administrator are available to all organizations and all groups.

Part 2: Task 1
1. Click the gear icon to the right of Junior Security Analyst and click View. Look in the box labeled
Scanning Permissions. Do you see any permissions here that you didn’t set? If so, what is it, and what
does it allow the user to do?
● Yes, Plugin ID scans are also available. This allows users to perform remediation scans on
individual plugin IDs.
2. If you have a standalone Nessus scanner that you are using for an air-gapped network and you wanted
this role to be able to take the results from that scanner and place the data in Tenable.sc, what
permission would need to be enabled?
● You would add the permission “Upload Nessus scan results” to the role.

Part2: Task 2
1. If Sam moved to Los Angeles and started working in the Los Angeles office as a security officer, what
would we do with his account?
● From Users > Users, click ssmith to Edit User. Change Time Zone to Los Angeles. Under
Membership, change the Group to Los Angeles. Under Responsibility, change Asset to Los
Angeles.
2. If Sam signs in right now, can he launch a scan of the Chicago office?
a. No. At this point in the overall process, there are no scan policies created. However, once there
are scan policies, he won’t be able to see the data from the office he scanned.

Lab Exercise 8: Post Deployment Configuration

In this lab, you will create and modify repositories, create additional scan zones, and generate a diagnostics
report:

At the end of this exercise, you will be able to:
● Create repositories
● Modify repositories
● Create additional scan zones
● Generate a Diagnostics Report

If you complete the advanced topics, you will be able to:
● Adjust the expiration of data
● Adjust the session timeout values for Tenable.sc sessions
● Create an IPv6 repository

TOTAL ESTIMATED LAB TIME: 25:00 MINUTES

Part 1 - Create Repositories for Compliance Testing
The Compliance team wants to perform some tests with compliance assessment, with the possibility of moving
to Tenable.sc for production-level compliance scanning. Create two repositories: one for testing purposes and
one for production compliance data.

Part 1: Task 1 - Create Testing Repository
Create a repository with a range of 0.0.0.0/0 for testing purposes.

Step-by-step Instructions:

1. Open up a web browser to the Tenable Core + Tenable.sc on port 443 that you received in your email.
NOTE: The default link goes to port 8000 (for the management interface), you must remove the port
(:8000) to connect to Tenable.sc directly.

2. Click in the u
sername box type a
dmin

3. Click in the p
assword box type Tenable123!

4. Click R
epositories, and then select Repositories.

5. Click +
Add in the upper right corner.

6. Click I Pv4 i n the Local section.

7. Type T
esting in the N
ame field.

8. Type 0
.0.0.0 i n the IP Ranges field.

9. Select the Tenable Acme check box in the A

ccess section.

10. Disable G
enerate Trend Data in the Advanced Settings.

11. Click S
ubmit.

Challenge Questions:

1. Why did we turn off trend data?

2. When we turned off trend data, did it disable any other features?

COPYRIGHT 2020 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG
CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, TENABLE.OT, LUMIN, INDEGY, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE,
INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.
1
3. Click the g
ear icon for Testing and review the options. What would you use the Export feature for?

Part 1: Task 2 - Create a Repository for Compliance Data
Create a repository for compliance data for Headquarters, Chicago and Los Angeles.

Step-by-step Instructions:

1. Click R
epositories, and then select Repositories.

2. Click +
Add.

3. Click I Pv4.

4. Type C
ompliance i n the Name f ield.

5. Type 1 0.0.2.0/24, 10.0.5.0/22, 192.168.1.0/24 in the I P Ranges field.

6. Select the Tenable Acme check box in the A

ccess section.

7. Change 3
0 to 365 for the D
ays Trending field in the Advanced Settings section.

8. Click S
ubmit.

Challenge Questions:

1. Is there any way to limit a repository to just compliance results?

2. What are the possible reasons we changed the days trending from 30 to 365?

Part 2 - Modify Repository and Create Scan Zones
When performing the initial configuration, the repository was defined with the IPs 10.0.2.0/24 and a matching
scan zone. Modify the Vulnerabilities repository to include the IP ranges for all three offices, and create scan
zones for all three offices. Attach the one scanner to the HQ Scan Zone.

Part 2: Task 1 - Modify the Vulnerabilities Repository
Modify the Vulnerabilities repository so it includes the ranges for HQ, Chicago and Headquarters.

Step-by-step Instructions:

1. Click R
epositories, and then Repositories.

2. Click the g
ear icon for Vulnerabilities, and then select E
dit.

3. Replace 10.0.2.0/24 with 1 0.0.2.0/24, 10.0.5.0/22, 192.168.1.0/24 i n the IP Ranges field.

4. Click S
ubmit.

5. Click the g
ear icon for Vulnerabilities, and then select V
iew.

Challenge Questions:

1. Look at the values for I P Ranges. Is there anything unusual?

2. The trending value on the repository is set to 30 days. Does this create any limitations?

Step-by-step Instructions:

1. Click R
esources, and then select Scan Zones.

2. Click +
Add.

3. Type H
eadquarters i n the Name field.

4. Type 1 0.0.2.0/24 in the R

anges field.

5. Select H
Q Nessus for Scanners.

6. Click S
ubmit.

7. Click +
Add.

8. Type L
os Angeles i n the Name field.

9. Type 1 0.0.5.0/22 i n the Ranges field.

10. Click S
ubmit.

11. Click +
Add.

12. Type C
hicago in the N
ame field.

13. Type 1 92.168.1.0/24 in the Ranges field.

14. Click S
ubmit.

Challenge Questions:

1. If someone were to launch a scan of the Chicago network, would the scan run?

2. Do we need to give the organization Tenable-Acme access to the new scan zones?

Part 3 - Create Diagnostics Report
When contacting support about potential issues with Tenable.sc, they will typically ask for a Diagnostics Report.
Create a Diagnostics Report.

Part 3: Task 1 - Create a Diagnostics Report

Create a Diagnostics Report with the IP addresses stripped.

Step-by-step Instructions:

1. Click S
ystem, and then select Diagnostics.

2. Click C
reate Diagnostics File.

3. Click G
enerate File.

1. Some problems can be identified without examining the diagnostics file. Look at the System Status
section. Are there any issues identified here?

2. What is the purpose of stripping IPs from chapters in a Diagnostics Report?

Optional Advanced Problems

This section is optional and can be completed during any free time you may have available while taking this
course.

TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 5:00 MINUTES

Task 1 - Change Data Retention Policy
Your organization is short on drive space and is concerned about filling up the drive on their Tenable.sc
instance. Change the data retention on all items to 90 days.

Task 2 - Adjust Session Timeout Value
Your organization has a policy that the timeout value on all sessions must be set to 15 minutes. Adjust the
session timeout value for Tenable.sc login sessions to 15 minutes.

Task 3 - Create New Repository
Your organization has a VOIP network that runs IPv6. They plan to put in a Nessus Network Monitor in the
future to monitor this equipment. Create a repository called VOIP with a defined range of ::/0.

End of Exercises

Part 1: Task 1
1. Why did we turn off trend data?
● By turning off trending, drive space is saved on Tenable.sc
2. When we turned off trend data, did it disable any other features?
● Yes, trending charts are no longer available.
3. Click the gear icon to the right of Testing and look at the options. What would you use the Export
feature for?
● To back up data, or move data to a new instance of Tenable.sc

Part 1: Task 2
1. Is there any way to limit a repository to just compliance results?
● No
2. What are the possible reasons we changed the days trending from 30 to 365?
● To allow for compliance trending for a year.

Part 2: Task 1
1. Look at the values for IP Ranges. Is there anything unusual?
● The entry for 1 0.0.5.0/22 has been changed to 10.0.4.0/22. This is due to the actual network
address being 10.0.4.0, the assignable IP addresses being 10.0.4.1 - 10.0.7.254, and the
broadcast address being 10.0.7.255. Tenable.sc also does not convert CIDR blocks to ranges. It
maintains CIDR notations and ranges as they were input.
2. The trending value on the repository is set to 30 days. Does this create any limitations?
● Trending analysis is limited to 30 days.

Part 2: Task 2
1. If someone were to launch a scan of the Chicago network, would the scan run?
● No, because there is no scanner in the Chicago Scan Zone.
2. Do we need to give the organization Tenable-Acme access to the new scan zones?
● Yes

Part 3: Task 1
1. Some problems can be identified without examining the diagnostics file. Look at the System Status
section. Are there any issues identified here?
● No
2. What is the purpose of stripping IPs from chapters in a diagnostics report?
● To retain organizational privacy when sharing results with Tenable.

Lab Exercise 9: Host Discovery Scans

1. Sign into Tenable.sc with the username of s can manager and the provided password.

2. Click S
cans, a
nd then select P
olicies.

3. Click +
Add located in the upper right corner.

4. Click H
ost Discovery.

5. Type H
ost discovery scan policy in the N
ame field.

6. Click S
ubmit.

Challenge Questions:

1. Click S
cans a
nd select Policies. If you have a large number of scan policies, how can you find this
policy?

2. Click the g ear icon to the right of H

ost discovery scan policy and select E xport. Open the downloaded
file with a plain text editor. Scroll down to P lugin Preferences on line 199. Look at the line underneath
<PluginName>Ping the Remote Host</PluginName>. What plugin ID reports on pings?

Part 1: Task 2 - Create an Asset List of Hosts to be Scanned

We would like to scan 10.0.2.3-10.0.2.254 with the first host discovery scan. Create a static asset list with the
IP range 10.0.2.3-10.0.2.254.

Step-by-step Instructions:

1. Click A
ssets.

2. Click +
Add.

3. Click S
tatic IP List.

4. Type C
ompanyname-hq in the N
ame f ield.

5. Type O
ffices i n the Tag field.

6. Type 1 0.0.2.3-10.0.2.254 in the I P Addresses field.

7. Click S
ubmit.

Challenge Questions:

1. Are there any other options for creating this asset list other than a static list that might be used?

2. Click the g
ear icon to the right of C
ompanyname-hq and select E
xport. O
pen the downloaded file in a
text editor. What version of Tenable.sc was this asset list created on?

Part 1: Task 3 - Create and Launch the First Host Discovery Scan
Create and launch a host discovery scan using the asset list you created in Task 2.

Step-by-step Instructions:

1. Click S
cans, a
nd then select A
ctive Scans.

2. Click +
Add.

3. Type C
ompanyname-hq host discovery scan i n the Name field.

4. Select H
ost discovery scan policy in the Policy f ield.

5. Click S
ettings located on the left.

6. Select a
ctive-scanning from the Import Repository d
rop-down.

7. Click T
argets located on the left.

8. Type C
ompany i n the Assets f ield.

9. Select the check box for C

ompanyname-hq.

10. Click S
ubmit.

11. Click <

to open the Filters panel located in the upper right corner.

12. Type C
ompanyname in the N
ame f ield.

13. Click A
pply.

15. Click the L

aunch button for C
ompanyname-hq host discovery scan.

16. Wait for the scan to finish.

Challenge Questions:

1. How many hosts were discovered in the scan?

2. Click S
cans and select Scan Results. Click the gear i con to the right of Companyname-hq host
discovery scan. What was the scan duration?

Part 1: Task 4 - Adjust Host Discovery Scan to Run Daily
Now that we have confirmed the Host Discovery scan is running properly, we will adjust the scan so it runs
automatically overnight starting at midnight US Central Time each day.

Step-by-step Instructions:

1. Click S
cans, a
nd then select A
ctive Scans.

2. Click the g
ear icon for Company-hq host discovery scan, and then select E
dit.

3. Click O
n Demand under the Schedule s ection.

4. Select O
n Demand from the F requency d
rop-down.

5. Click D
aily.

6. Click the T
ime drop-down.

7. Click 0
0:00.

8. Click the T
imezone drop-down.

9. Type A
merica/Chicago in the text field, and then hit Enter.

10. Click A
merica/Chicago.

11. Click S
ubmit.

Challenge Questions:

1. If you wanted to chain multiple discovery scans together, what would you use?

2. What Plugin ID contains Nessus scan information?

Part 2 - Operating System Scan
Now that we know how many hosts are in the network partition, we want to know what operating systems are
running.

Part 2: Task 1 - Create an Operating System Discovery Policy
Sign into Tenable.sc and create an Operating System discovery policy.

1. Sign into Tenable.sc with the username of s can manager and the provided password.

2. Click S
cans, a
nd then select P
olicies.

3. Click +
Add.

4. Click H
ost Discovery.

5. Type O
perating System Discovery Policy in the Name f ield.

6. Click the H
ost Enumeration drop-down under the Configuration section.

7. Select O
S Identification.

8. Click S
ubmit.

Challenge Questions:

1. What pings will be used in this policy?

2. Is there a way to change the ping options using the OS ID discovery method in the policy?

Part 2: Task 2 - Create and Launch an OS Discovery Scan

Copy the previous active scan and change the name to Companyname-hq OS Discovery and change the scan
policy to Operating System Discovery Policy.

Step-by-step Instructions:

1. Click S
cans, a
nd then select A
ctive Scans.

2. Click the g
ear icon for Companyname-hq host discovery scan.

3. Select C
opy.

4. Click the g
ear icon for Copy of Companyname-hq host discovery scan.

5. Select E
dit.

6. Click P
olicy drop-down, and then select Operating System Discovery Policy.

7. Rename the scan Companyname-hq operating system discovery scan i n the Name field.

8. Click S
ubmit.

9. Launch the Companyname-hq Operating system discovery scan.

10. Wait for the scan to complete.

Challenge Questions:

1. What operating systems were discovered during the scan?

2. How many Windows 10 hosts were discovered?

1. Click S
cans, a
nd then select A
ctive Scans.

2. Click the g
ear icon for Company-hq Operating System discovery scan and select E
dit.

3. Click E
very day at... located in the S
chedule section.

4. Select W
eekly from the F requency d
rop-down.

5. Deselect the current R

epeat On option and only select Su to turn Sunday o
n.

6. Click S
ubmit.

Part 3 - Scan for Common Number Ports
We want to scan for common ports to make sure we have proper firewall rules in place.

Part 3: Task 1 - Create an Port Scanning Discovery Policy
Sign into Tenable.sc and create a port scanning discovery policy.

Step-by-step Instructions:

1. Sign into Tenable.sc with the username of s can manager and the provided password.

2. Click S
cans, a
nd then select P
olicies.

3. Click +
Add.

4. Click H
ost Discovery.

5. Type C
ommon Port Discovery Policy i n the Name field.

6. Click the H
ost Enumeration drop-down in the Configuration section and select Port Scan (common
ports).

7. Click S
ubmit.

Challenge Questions:

1. Will this scan policy scan the Nessus scanner if it is in the scan range?

2. If the scan uses ICMP ping, how many retries will it use?

Part 3: Task 2 - Create and Launch a Common Ports Scan

Copy the previous active scan and change the name to Companyname-hq common port scan and change
the scan policy to Common Port Discovery Policy.

Step-by-step Instructions:

1. Click S
cans, and then select Active Scans.

2. Click the g
ear icon for Companyname-hq host discovery scan.

3. Select C
opy.

4. Click the g
ear icon for Copy of Companyname-hq host discovery scan.

5. Select E
dit.

6. Select C
ommon Port Discovery Scan from the P
olicy d
rop-down.

7. Rename the scan Companyname-hq Common Port Discovery Scan in the Name field.

8. Click S
ubmit.

9. Launch the Companyname-hq Common Port Discovery Scan.

10. Wait for the scan to complete.

Challenge Questions:

1. Did you discover any web servers running on port 80?

2. What method of port scan was performed?

3. Credentials were not provided, so how was the scan able to perform a netstat scan?

Optional Advanced Problems

This section is optional and can be completed during any free time you may have available while taking this
course.

TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 5:00 MINUTES

Task 1 - Scanning Through a Firewall (Shutting off TCP Ping)
The Nessus scanner is separated from its targets by a firewall that is configured to respond to TCP ping on
every IP. Create a host discovery policy that only uses ARP and ICMP ping when performing a discovery
assessment.

Task 2 - Low Port Scan
Create a port scan policy that scans ports 1-1024.

Task 3 - Verifying Results
Open the scan results for the Operating System discovery and look at the results for the Windows 10 host.
What method of OS identification was used, and how confident can we be of the result?

End of Exercises

Part 1: Task 1
1. Click Scans, and then select Policies. If you have a large number of scan policies, how can you find this
policy?
● Use the filter on the right side of the policies window.
2. Click the gear icon to the right of Host discovery scan policy and select Export. Open the downloaded
file with a plain text editor. Scroll down to Plugin Preferences on line 199. Look at the line underneath
<PluginName>Ping the Remote Host</PluginName>. What plugin ID reports on pings?
● 10180

Part 1: Task 2
1. Are there any other options for creating this asset list other than static that might be used?
● Yes, you could use a Dynamic Asset list with a field of Address is 10.0.2.0/24
2. Click the gear icon to the right of Companyname-hq and select Export. Open the downloaded file in a
text editor. What version of Tenable.sc was this asset list created on?
● 5.15.0

Part 1: Task 3
1. How many hosts were discovered in the scan?
● 7
2. Clinic on Scans and Scan Results. Click the gear icon to the right of Companyname-hq host discovery
scan. What was the scan duration?
● Scan times will vary, but should be less than 3 minutes.

Part 1: Task 4
1. If you wanted to chain multiple discovery scans together, what would you use?
● Dependent scans
2. What Plugin ID contains Nessus Scan information?
● Plugin ID 19506

Part 2: Task 1
1. What pings will be used in this policy?
● TCP, ARP and ICMP
2. Is there a way to change the ping options using the OS ID Discovery method in the policy?
● No

Part 2: Task 2
1. What operating systems were discovered during the scan?
● Linux Kernel 2.6, Amazon Linux AMI, Ubuntu 16.04 Microsoft Windows 10
2. How Many Windows 10 hosts were discovered?
● 1

Part 2: Task
No challenge questions

Part 3: Task 1
1. Will this scan policy scan the Nessus scanner if it is in the scan range?
● Yes
2. If the scan uses ICMP ping, how many retries will it use?
● 2

Part 3: Task 2
1. Did you discover any web servers running on port 80?
● Yes
2. What method of port scan was performed?
● Syn and Netstat port scanning
3. Credentials were not provided, so how was the scan able to perform a netstat scan?
● The Nessus scanner used Netstat as a local command on itself.

Lab Exercise 10: Vulnerability Assessment Review

Important note: I n this module, you will be using the pre-populated Tenable.sc in your lab environment.
From the email, use the link to the right of Tenable.sc (Scan Manager) with the username of s can manager.
DO NOT use the link to the right of Tenable Core + Tenable.sc.

In this exercise, you will create host discovery, non-credentialed and credentialed scans of hosts in the
network, and confirm they ran properly.

At the end of this exercise, you will be able to:
● Create a Basic Network Scan policy
● Create and launch a non-credentialed scan
● Create Windows and Linux credentials
● Create and launch a credentialed scan

If you complete the advanced topics, you will be able to:
● Create custom host discovery scan policies to identify operating systems
● Create custom host discovery scan policies for special environments

Lab Note: T his lab involves creating and launching several scans. After you have launched a scan, if you are
waiting for it to finish, you can proceed onto the next section and then come back and answer the questions
after the scan has finished.

TOTAL ESTIMATED LAB TIME: 45:00 MINUTES

Part 1 - Non-Credentialed Scan
Non-credentialed scans provide vulnerability assessment in situations where credentials for hosts are not
available.

Part 1: Task 1 - Create a Basic Network Scan Policy
Sign into Tenable.sc and create a host discovery scan policy using the host discovery template.

Step-by-step Instructions:

1. Sign into Tenable.sc with the username of s can manager and the provided password in your email.

2. Click S
cans, a
nd then select P
olicies.

3. Click +
Add located in the upper right corner.

4. Click B
asic Network Scan.

5. Type B
asic Network Scan Policy i n the Name field.

6. Click S
ubmit.

Challenge Questions:

1. Open the scan policy and look at the settings. What is the max simultaneous checks per host value?

2. Is CGI scanning enabled in this scan policy by default?

1. Click S
cans, a
nd then select A
ctive Scans.

2. Click +
Add.

3. Type C
ompanyname-hq Non Credentialed Scan i n the Name field.

4. Select B
asic Network Scan Policy from the Policy drop-down.

5. Click S
ettings located on the left.

6. Select a
ctive-scanning from the Import Repository drop-down.

7. Click T
argets located on the left.

8. Type C
ompany i n the Assets Search field.

9. Select the check box for C

ompanyname-hq.

10. Click S
ubmit.

11. Click <

to open the Filters panel located in the upper right corner.

12. Type C
ompanyname in the N
ame f ield.

13. Click A
pply.

14. Close the F ilters panel.

15. Click the L

aunch button for C
ompanyname-hq Non Credentialed Scan.

16. Click S
can Results.

17. Wait for the scan to finish.

Challenge Questions:

1. Are you able to use the List Software analysis tool with the results of this scan?

2. Were there any hosts in these scan results that did receive a credentialed scan and if so, why?

Part 2 - Credentialed Vulnerability Scan
Best practices call for credentialed scans wherever possible. Create credentials for Windows and Linux hosts
and launch a scan of the asset list companyname-hq.

Part 2: Task 1 - Create Windows and Linux Credentials
Best practices for Vulnerability Assessment call for credentialed scanning with administrative level
credentials whenever possible. Create a set of Windows and Linux credentials.

1. Click S
cans, and then select Credentials.

2. Click +
Add.

3. Click P
assword from the W
indows section.

4. Type W
indows Credentials i n the Name f ield.

5. Type s canadmin in the U

sername field.

6. Type T
enable123! i n the Password f ield.

7. Click S
ubmit.

8. Click +
Add.

9. Click P
assword from the S
SH s ection.

10. Type L
inux Credentials i n the Name field.

11. Type s canadmin in the Username field.

12. Type T
enable123! i n the Password f ield.

13. Select s udo from the P

rivilege Escalation drop-down.

14. Type r oot in the Escalation Username field.

15. Click S
ubmit.

Challenge Questions:

1. What Tenable.sc users have access to these credentials for scanning purposes?

2. What other options are there available for privilege elevation with Linux credentials?

Part 2: Task 2 - Create and Launch a Credentialed Scan
The Basic Network Scan policy used in the non-credentialed scan can also be used for a credentialed scan.
Copy the non-credentialed scan, rename it and add Windows and Linux credentials.

Step-by-step Instructions:

1. Click S
cans, and then select Active Scans.

2. Click the g
ear icon for Company-hq Non-Credentialed scan a
nd select Copy.

3. Click the g
ear icon for Copy of Companyname-hq Non-Credentialed scan a
nd select Edit.

4. Rename the scan Companyname-hq Credentialed Scan i n the Name field.

5. Click C
redentials, a
nd then +Add Credential.

6. Click the N
othing Selected drop-down, and then select Windows.

7. Click the N
o Items Selected drop-down, and then select Windows Credentials.

8. Click the c heck mark to the right.

9. Click +
Add Credential.
COPYRIGHT 2021 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG
CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, TENABLE.OT, LUMIN, INDEGY, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE,
INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.
3
10. Click the N
othing Selected drop-down, and then select SSH.

11. Click the N

o Items Selected drop-down, and then select Linux Credentials.

12. Click the c heck mark to the right.

13. Click S
ubmit.

14. Launch the Companyname-hq Credentialed Scan.

15. Click S
can Results and wait for the scan to finish.

Challenge Questions:

1. How can we confirm that this is a credentialed scan?

2. Were there any hosts where the credentials failed?

Part 3 - Accelerating Scans
We can modify a scan policy so the scan will run faster by increasing the max checks per simultaneous checks
per host and/or max simultaneous hosts per scan. In this scan, we are going to create a policy that increases
the max checks per host value and launch it. We can also adjust the timeout value for assets that we know
have a fast response time.

Part 3: Task 1 - Create a Basic Network Scan Policy with a Modified Max Check Per Host
Create a scan policy named “Fast Basic Network Scan Policy” using the Basic Network Scan Policy template,
with max checks per host set to 100 and max simultaneous hosts set to 252. Set the network timeout value
to 1 second.

Step-by-step Instructions:

1. Click S
cans, and then select Policies.

2. Click +
Add.

3. Click B
asic Network Scan.

4. Type F ast B
asic Network Scan Policy in the Name field.

5. Type Vulnerability Scan Policies in the Tag f ield.

6. Click the A
dvanced drop-down in the Configuration section and select C
ustom.

7. Click A
dvanced on the left.

8. Enter the value 1 i n the Network Timeout f ield.

9. Enter the value 10 i n the Max Simultaneous Checks Per Host f ield.

10. Enter the value 252 i n the Max Simultaneous hosts f ield.

11. Click S
ubmit.

Challenge Questions:

1. What concerns are there with this scan policy?

1. Click S
cans, and then select Active Scans.

2. Click the g
ear icon for Companyname-hq Credentialed Scan and s elect Copy.

3. Click the g
ear icon for Copy of C
ompanyname-hq Credentialed Scan and select Edit.

4. Rename the scan Fast Credentialed Vulnerability Scan of HQ in the Name field.

5. Select F ast Basic Network Scan Policy from the Policy drop-down.

6. Click S
ubmit.

7. Launch the Fast Credentialed Vulnerability Scan of HQ.

8. Click S
cans, and then select Scan Results.

9. Locate F ast Credentialed Vulnerability Scan of HQ.

10. Wait for the scan to complete.

Challenge Questions:

1. Did the scan run faster?

2. Look at Plugin ID 19506 for a single host on this scan, and look at the plugin output: Do you see your
changes to the policy in the plugin output for this plugin?

Part 4 - Disabling Safe Checks
There are some vulnerabilities where the only way to test for the vulnerability is to compromise the host. The
default Basic Network Scan policy will not perform these tests. In this section, we will create a scan policy with
safe checks disabled.

Part 4: Task 1 - Create a Basic Network Scan Policy with Safe Checks Disabled
Create a scan policy named “Unsafe Basic Network Scan Policy” using the Basic Network Scan Policy
template and disable safe checks.

Step-by-step Instructions:

1. Click S
cans and select Policies.

2. Click +
Add.

3. Click B
asic Network Scan.

4. Type U
nsafe B
asic Network Scan Policy in the N
ame field.

6. Click the A
dvanced drop-down under the C
onfiguration section.

7. Select C
ustom.

8. Click A
dvanced on the left.

9. Locate E
nable Safe Checks and disable this option by clicking the toggle to move it to the left.

10. Click S
ubmit.

Challenge Questions:

1. What concerns are there with this scan policy?

2. Can this policy be used for credentialed and non-credentialed scans?

Part 4: Task 2 - Create and Launch a Scan Using the New Scan Policy
Rather than creating a scan from scratch, we can copy an existing scan and then modify its policy. This
prevents potential mistakes when creating the scan.

Step-by-step Instructions:

1. Click S
cans, and then select Active Scans.

2. Click the g
ear icon for Companyname-hq Credentialed Scan.

3. Select C
opy.

4. Click the g
ear icon for Copy of C
ompanyname-hq Credentialed Scan.

5. Select E
dit.

6. Rename the scan Unsafe Credentialed Vulnerability Scan of HQ i n the Name field.

7. Select U
nsafe Basic Network Scan Policy from the P
olicy drop-down.

8. Click S
ubmit.

9. Launch the Unsafe Credentialed Vulnerability Scan of HQ.

10. Click S
cans, and then select Scan Results.

11. Wait for the scan to complete.

Challenge Questions:

1. Did the scan run slower?

2. Filter on Low, Medium, High and Critical vulnerabilities, and see how many vulnerabilities you found.
Now compare that with the previous credentialed scan. Did you find more vulnerabilities?

3. In what situations might you want to use this policy?

1. Click S
cans, and then select Policies.

2. Click +
Add.

3. Click M
alware Scan.

4. Type M
alware Scan policy i n the N
ame field.

5. Click S
ubmit.

Challenge Question:

1. Open the scan policy and look at the options. If you wanted to check for connection to potentially
dangerous IPs, what could you do?

2. By default, does this scan perform a scan of the file system for malware?

Part 5: Task 2 - Create and Launch a Scan Using the New Scan Policy
Rather than creating a scan from the ground up, we can copy an existing scan and then modify its policy.
This prevents potential mistakes when creating the scan.

Step-by-step Instructions:

1. Click S
cans, and then select Active Scans.

2. Click the g
ear icon for Companyname-hq Credentialed Scan.

3. Select C
opy.

4. Click the g
ear icon for Copy of C
ompanyname-hq Credentialed Scan.

5. Select E
dit.

6. Rename the scan Malware Scan of HQ in the Name field.

7. Select M
alware Scan policy from the Policy drop-down.

8. Click S
ubmit.

9. Launch the Malware Scan of HQ.

10. Click S
cans, and then select Scan Results.

11. Wait for the scan to complete.

Challenge Questions:

1. Did the scan run faster?

3. How could you find out additional details about a potential malware?

Optional Advanced Problems

This section is optional and should be completed before or after class as you may not have enough time to
complete it during the normal lab time.

TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 50:00 MINUTES

Task 1 - Extracting Windows User Information
Create a scan policy that extracts information about Windows users, including domain users, but does not
perform extensive vulnerability testing. Create a scan and launch it against companyname-hq and analyze
the results.

Task 2 - Testing for Default Credentials
Create a scan policy that tests for sets of default credentials in hosts. Create a scan and launch it against
companyname-hq and analyze the results.

Task 3 - Creating a Blackout Window
Create a blackout window for weekdays from 6:00AM - 8:00AM US Eastern time for companyname-hq.

End of Exercises

Part 1: Task 1
1. Open the scan policy and look at the settings. What is the max simultaneous checks per host value?
● 4
2. Is CGI scanning enabled in this scan policy by default?
● No

Part 1: Task 2
1. Are you able to use the List Software analysis tool with the results of this scan?
● No
2. Were there any hosts in these scan results that did receive a credentialed scan and if so, why?
● Yes, the Nessus scanner was scanned locally and so it did a credentialed scan of the Nessus
scanner.
Part 2: Task 1
1. What Tenable.sc users have access to these credentials for scanning purposes?
● Anyone in the Full Access Group
2. What other options are there available for privilege elevation with Linux credentials?
● su, su+sudo, k5login, Cisco Enable, dzdo, pbrun

Part 2: Task 2
1. How can we confirm that this is a credentialed scan?
● There are several different ways we can confirm credentials worked for scanning. Plugin ID
19506 in its scan output will tell you whether or not the scan used credentials. Plugin ID 110095
will also tell you whether credentials were successful.
2. Were there any hosts where the credentials failed?
● Yes
Part 3: Task 1
1. What concerns are there with this scan policy?
● It will put a significant load on targets, and generate a high amount of network traffic.
2. Can this policy be used for credentialed and non-credentialed scans?
● Yes

Part 3: Task 2
1. Did the scan run faster?
● Yes
2. Look at Plugin ID 19506 for a single host on this scan, and look at the plugin output: Do you see your
changes to the policy in the plugin output for this plugin?
● Yes

Part 4: Task 1
1. What concerns are there with this scan policy?
● There is some risk that scans with this policy will interfere with targets.
2. Can this policy be used for credentialed and non-credentialed scans?
● Yes

Part 4: Task 2
1. Did the scan run slower?
● Yes
2. Filter on Low, Medium, High and Critical vulnerabilities, and see how many vulnerabilities you found.
Now compare that with the previous credentialed scan. Did you find more vulnerabilities?
● No
3. In what situations might you want to use this policy?
● For hosts that are going to be on a public IP, a periodic scan using this policy against a mirror
copy of this host in a lab should be run to identify those potential vulnerabilities that might be
used against your public IP assets.

Lab Exercise 11: Compliance Assessment

1. Click S
cans, and then select Audit Files.

2. Click +
Add.

3. Type “ CIS Microsoft Windows Server 2016” in the Search Templates field.

4. Press Enter.

5. Click C
IS Microsoft Windows Server 2016 MS L2.

6. Type C
IS Microsoft Windows Server 2016 MS L2 i n the Name field.

7. Click S
ubmit.

Challenge Question:

1. How would you download this audit file to view its contents?

1. Click S
cans, and then select Policies.

2. Click +
Add.

3. Click P
olicy Compliance Auditing.

4. Type C
IS Microsoft Windows Server 2016 MS L2 v1.1.0 Scan Policy i n the Name field.

5. Click C
ompliance.

6. Click A
dd Audit File.

7. Click S
elect a Type.

8. Click W
indows.

9. Click S
elect an Audit File.

10. Click C
IS Microsoft Windows Server 2016 MS L2 v1.1.0.

11. Click the c heck mark.

12. Click S
ubmit.

Challenge Question:

1. When creating the scan policy, there was a section labeled “Authentication.” Why did we not add
Windows credentials in that section?

Part 1: Task 3 - Create and Launch Compliance Scan and Confirm Scan Ran Properly
Copy the scan Companyname-hq Credentialed Scan and replace the scan policy with the scan policy CIS
Microsoft Windows Server 2016 MS L2 v1.1.0 Scan Policy and name it C
IS Microsoft Windows Server 2016 MS
L2 v1.1.0 compliance scan.

Step-by-step Instructions:

1. Click S
cans.

2. Click A
ctive scans.

3. Click the g
ear icon f or Companyname-hq Credentialed Scan.

4. Select C
opy.

5. Click the g
ear icon for Copy of Companyname-hq Credentialed Scan.

6. Select E
dit.

7. Rename the scan CIS Microsoft Windows Server 2016 MS L2 v1.1.0 compliance scan in the Name field.

8. Select C
IS Microsoft Windows Server 2016 MS L2 v1.1.0 scan policy from the P
olicy drop-down.
COPYRIGHT 2021 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG
CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, TENABLE.OT, LUMIN, INDEGY, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE,
INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.
2
9. Click S
ettings.

10. Select a
ctive-scanning-compliance from the I mport R
epository drop-down.

11. Click S
ubmit.

12. Launch the CIS Microsoft Windows Server 2016 MS L2 v1.1.0 compliance scan.

13. Click S
cans, and then select Scan Results.

14. Wait for the scan to finish.

15. Click the g

ear icon for CIS Microsoft Windows Server 2016 MS L2 v1.1.0 compliance scan.

16. Select B
rowse.

Challenge Questions:

1. Did the scan appear to run correctly?

2. Click Vulnerability Summary and select Severity Summary. Are there any advisories?

3. How many compliance failures exist in the scan?

4. How many compliance passes?

Part 2 - Determine a Host and Run Compliance Scan on that Host
In this section, we are going to identify a Linux host at HQ, identify its operating system and run an appropriate
compliance scan.

Part 2: Task 1 - Locate the Linux Host and Identify the Operating System
Examine Plugin ID 11936 of the vulnerability scan in the previous credentialed scanning lab and identify any
Linux hosts.

Step-by-step Instructions:

1. Click S
can, and then select S
can Results.

2. Click the g
ear icon for Companyname-hq Credentialed Scan.

3. Select B
rowse.

4. Open the Filters panel (>>) located on the left side of the screen.

5. Click C
lear Filters, if available.

6. Close the F ilters panel (<<).

7. Click the V
ulnerability Summary drop-down, a
nd then select List OS.

Challenge Questions:

1. Which versions of Linux are running at HQ?

2. What is the IP address of the Ubuntu Linux host?

1. Click S
cans, and then select Audit Files.

2. Click +
Add.

3. Type “ Ubuntu Linux 16.04” i n the Search Templates field.

4. Press Enter.

5. Click U
buntu Linux 16.04 LTS Server L2 v1.1.0.

6. Type C
IS Ubuntu Linux 16.04 LTS Server L2 V1.1.0 i n the Name f ield.

7. Click S
ubmit.

8. Click P
olicies.

9. Click +
Add.

10. Click P
olicy Compliance Auditing.

11. Type C
IS Ubuntu Linux 16.04 LTS Server L2 V1.1.0 i n the Name f ield.

12. Click C
ompliance.

13. Click A
dd Audit File.

14. Click S
elect a Type drop-down, and then select U
nix.

15. Click S
elect an A
udit File d
rop-down, and then CIS Ubuntu Linux 16.04 LTS Server L2 V1.1.0.

16. Click the c heck mark.

17. Click S
ubmit.

18. Click A
ctive Scans.

19. Click the g

ear icon for Companyname-hq Credentialed Scan.

20. Click C
opy.

21. Click the g

ear icon for Copy of Companyname-hq Credentialed Scan.

22. Click E
dit.

23. Rename the scan CIS Ubuntu Linux 16.04 LTS Server Level 2 v 1.1.0 compliance scan in the Name field.

24. Select C
IS Ubuntu Linux 16.04 LTS Server L2 V1.1.0 from the P
olicy drop-down.

25. Click T
argets.

26. Click the T

arget Type drop-down, and then select IP/DNS Name.

27. Enter the IP address of the Ubuntu host (10.0.2.248) in the IP/DNS Name field.

29. Select a
ctive-scanning-compliance from the I mport R
epository d
rop-down.

30. Click S
ubmit.

31. Launch the CIS Ubuntu Linux 16.04 LTS Server Level 2 v 1.1.0 compliance scan.

32. Click S
can Results.

33. Wait for the scan to finish.

34. Click the g

ear for C
IS Ubuntu Linux 16.04 LTS Server Level 2 v 1.1.0 compliance scan.

35. Select B
rowse.

Challenge Questions:

1. Did the scan run properly?

2. Click Vulnerability Summary and select Severity Summary. Were there any compliance failures?

Part 3 - Search for Credit Card Numbers on Windows Hosts
In this section we are going to search Windows hosts for credit card numbers.

Part 3: Task 1 - Create Credit Card Search Audit File and Scan Policy, then Launch Scan
Use the Credit Card Search Audit File template under Windows File Contents to create an audit file and scan
policy and scan HQ.

Step-by-step Instructions:

1. Click S
cans, and then select Audit Files.

2. Click +
Add.

3. Click W
indows Files Contents.

4. Type C
redit Card in the S
earch Templates field.

5. Press Enter.

6. Click T
NS File Analysis - Credit Card Number.

7. Type W
indows Credit Card Number Search i n the Name field.

8. Click S
ubmit.

9. Click P
olicies.

10. Click +
Add.

11. Click P
olicy Compliance Auditing.

12. Type C
redit Card Search Policy for Windows in the Name field.

13. Click C
ompliance.

15. Click S
elect a Type and select Windows File Contents.

16. Click S
elect an Audit File, and then select Windows Credit Card Number Search.

17. Click the c heck mark.

18. Click S
ubmit.

19. Click A
ctive Scans.

20. Click the g

ear icon for Companyname-hq Credentialed Scan.

21. Click C
opy.

22. Click the g

ear icon for Copy of Companyname-hq Credentialed Scan.

23. Click E
dit.

24. Rename the scan Windows Credit Card Search Scan in the N
ame field.

25. Select C
redit Card Search Policy for Windows from the P
olicy drop-down.

26. Click S
ubmit.

27. Launch the Windows Credit Card Search Scan.

28. Click S
can Results. N
OTE: This scan will take awhile to run, so come back later in the day and answer
these questions.

Challenge Questions:

1. Were any credit card numbers found?

2. How long did the scan take to run? Why?

3. Would this be a good scan to run during business hours?

Part 4 - Create an Audit File to check Minimum Password Length
In this section we’re going to create our own audit file to check for minimum password length on Windows
hosts, and then check HQ.

Part 4: Task 1 - Create an Audit File on your Local Machine
Use a plain text editor on your local machine to create an audit file that performs a password length check
for 15 characters or more on passwords

Step-by-step Instructions:

1. Open a plain text editor on your local machine. NOTE: D on

ot u
se Windows notepad. If on Windows and
you don’t have a favorite text editor installed, use Wordpad.

2. Start at the first line of the file, insert the following text, taking care to note that spacing and
capitalization are incredibly important in this file:

3. Save the file as a plain text file with the name windowspassword.audit

4. Click S
cans, and select then Audit Files.

5. Click +
Add.

6. Click A
dvanced in the Custom section.

7. Type W
indows Password Audit in the N
ame field.

8. Click the box C

hoose File and upload the file windowspassword.audit.

9. Click S
ubmit.

10. Click P
olicies.

11. Click +
Add.

12. Click P
olicy Compliance Auditing.

13. Type W
indows Password Check i n the Name f ield.

14. Click C
ompliance.

15. Click +
Add Audit File.

16. Click S
elect a Type drop-down, a
nd then select Windows.

17. Click S
elect an Audit File d
rop-down, and then select Windows Password Audit.

18. Click the c heck mark.

19. Click S
ubmit.

20. Click A
ctive Scans.

21. Click the g

ear icon for CIS Microsoft Windows Server 2016 MS L2 v1.1.0 compliance scan.

22. Click C
opy.

23. Click the g

ear icon for Copy of CIS Microsoft Windows Server 2016 MS L2 v1.1.0 compliance scan.

24. Click E
dit.

25. Rename the scan Windows Password Check for HQ i n the Name field.

26. Select W
indows Password Check from the P
olicy d
rop-down.

28. Launch the Windows Password Check scan.

29. Click S
can Results

30. Wait for the scan to finish.

Challenge Questions:

1. Were there any hosts that were out of compliance with the minimum password length requirement?

2. How long did the scan take to run? Why?

3. Would this be a good scan to run during business hours?

Optional Advanced Problems

This section is optional and can be completed during any free time you may have available while taking this
course.

TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 120:00 MINUTES

Task 1 - Limit the Scope of a Windows File Contents Search
In a Windows file content search, you can limit what directories are searched by using the directive
include_paths. Refer to
https://docs.tenable.com/nessus/compliancechecksreference/Content/Resources/PDF/NessusComplianceC
hecksReference.pdf. C
reate an audit file that only searches c
:\windows\users and c
:\Documents and
Settings for credit card numbers. Then upload this audit file to Tenable.sc, create a policy, and scan
companyname-hq. Note: There are several different ways to complete this task.

Task 2 - Check to Ensure all Windows Hosts in Headquarters are Windows Server 2016
Check to make sure that all the Windows hosts in HQ are Windows server 2016. H int: The CIS Windows Server
2016 benchmark that was used earlier in this lab has a conditional that can be used to model a check.

End of Exercises

Part 1: Task 1

1. How would you download this audit file to view its contents?
● Go to Audit Files, click the gear icon to the right of the audit file, and select Export. Open the
downloaded file in a text editor.

Part 1: Task 2
1. When creating the scan policy, there was a section labeled “Authentication.” Why did we not add
Windows credentials in that section?
● Operating system credentials, such as Windows credentials, are created as separate objects
and placed in the scan definition, not in the scan policy.

Part 1: Task 3
1. Did the scan appear to run correctly?
● Yes
2. Click Vulnerability Summary, and select Severity Summary. Are there any advisories?
● No
3. How many compliance failures exist in the scan?
● 62
4. How many compliance passes?
● 90

Part 2: Task 1
1. Which versions of Linux are running at HQ?
● Unidentified Linux 2.6, Amazon Linux, Ubuntu 16.04
2. What is the IP address of the Ubuntu Linux Host?
● 10.0.2.248

Part 2: Task 2
1. Did the scan run properly?
● Yes
2. Click Vulnerability Summary and select Severity summary. Were there any compliance failures?
● Yes

Part 3: Task 1
1. Were any credit card numbers found?
● Yes
2. How long did the scan take to run? Why?
● This scan will take at least an hour to run, because it has to do a file system search examining
contents of individual files on Windows hosts.
3. Would this be a good scan to run during business hours?
● Probably not, because it puts significant load on the IO of the disks on the hosts that are being
scanned.

Part 4: Task 1
1. Were there any hosts that were out of compliance with the minimum password length requirement?
● Yes
2. How long did the scan take to run? Why?
● This scan will take at least an hour to run, because it has to do a file system search examining
contents of individual files on Windows hosts.
3. Would this be a good scan to run during business hours?
● Probably not, because it puts significant load on the IO of the disks on the hosts that are being
scanned

<then>
<report type:"PASSED">
description : "Windows 2016 installed"
</report>
</then>
<else>
<report type:"FAILED">
description : "Windows 2016 not installed"
</report>
</else>
</if>
</group_policy>
</check_type>

Lab Exercise 12: Asset Lists

1. Click A
ssets.

2. Click +
Add located in the upper right corner.

3. Type W
eb Servers in the S
earch Templates field.

4. Press Enter.

5. Click W
eb Servers.

6. Click A
dd ( bottom of screen).

7. Click <
to open the Filters panel located in the upper right corner.

8. Click A
ll underneath N
ame.

9. Type W
eb in the Enter Name field.

10. Click A
pply.

11. Close the F ilters panel. NOTE: I f the word c alculating appears in the asset list Web Server detection,
wait for it to finish.

12. Click the g

ear icon for Web Server Detection.

13. Click V
iew.

1. Click the triangle to the right of active-scanning. How many web servers were detected?

2. Does this number appear reasonable, given the number of hosts identified in your vulnerability scans
from Lab 10?

Part 1: Task 2 - Create a Combination Asset List
After having performed a significant number of scans, the Security team wants a list of web servers in
headquarters. Create a combination asset list using the Web Server Detection and Companyname-hq asset
lists.

Step-by-step Instructions:

1. Click A
ssets.

2. Click +
Add.

3. Click C
ombination in the C
ustom section.

4. Type W
eb servers at HQ in the Name f ield.

5. Type “ Web Server detection” i n the Combination f ield. N

OTE: Do not copy/paste and be sure to include
the quotes.

6. Press the spacebar, and then select A

nd.

7. Press the spacebar, and then type “ Companyname-hq”.

8. Select C
ompanyname-hq.

9. Click S
ubmit.

10. Click the g

ear icon for Web servers at HQ

11. Select V
iew.

Challenge Questions:

1. How many web servers were detected in HQ?

2. Click the triangle to the right of active-scanning. What IP addresses at HQ have web servers?

Part 1: Task 3 - Create a Custom Dynamic Asset List
We want to identify SMTP servers in Headquarters. Create a custom dynamic asset list for hosts accepting
port 25 or port 587.

Step-by-step Instructions:

1. Click A
ssets.

2. Click +
Add.

3. Click D
ynamic in the Custom s ection.

4. Type S
MTP Servers in the N
ame field.

6. Click A
dd Rule.

7. Click the P
lugin ID drop-down, and then select P
ort.

8. Type 2
5,587 in the i s equal to field.

9. Click the c heck mark.

10. Click S
ubmit.

11. Click <

to open the Filters panel located in the upper right corner.

12. Click W
eb u
nderneath N
ame.

13. Type S
MTP in the E
nter Name field.

14. Click A
pply.

15. Close the F ilters panel.

16. Click the g

ear icon for SMTP Servers

17. Select V
iew.

Challenge Questions:

1. How many SMTP servers were found in the HQ range of 10.0.2.0/24?

2. How would you create an asset list just listing the SMTP servers in the HQ range?

Part 2 - Asset Patching
In this section, you will create an asset list of Window 10 hosts.

Part 2: Task 1 - Asset List of Windows Hosts
Create a dynamic asset list of Windows 10 hosts using a template.

Step-by-step instructions:

1. Click A
ssets.

2. Click +
Add.

3. Type “ Microsoft Windows 10” in the Search Templates f ield (Include the quotation marks.).

4. Press Enter.

5. Click M
icrosoft Windows 10.

6. Click A
dd.

7. Click <
to open the Filters panel located in the upper right corner.

8. Click S
MTP underneath Name.

10. Close the F ilters panel.

11. Click the g

ear icon for Microsoft Windows 10.

12. Select V
iew.

Challenge Questions:

1. Were there any Windows 10 hosts in the company-hq network that we have scanned? (10.0.2.0/24)

Part 3 - New Hosts
In this section, you will create an asset list of new hosts with critical vulnerabilities based on daily credentialed
scanning.

Part 3: Task 1 - Create an Asset List of New Hosts
Create an asset list of hosts discovered in the last 24 hours.

Step-by-step instructions:

1. Click A
ssets.

2. Click +
Add.

3. Click D
ynamic in the C
ustom section.

4. Type N
ewly discovered hosts in the N
ame field.

5. Mouse over “Any of the following are true:” in the Asset Definition section.

6. Click A
dd Rule.

7. Click the P
lugin ID drop-down, and then select D
ays Since Discovery.

8. Click i s equal to and select is less than.

9. Type 2
i n the next text field.

10. Type 1 9506 i n the next text field after w

here plugin ID is.

11. Click the c heck mark.

12. Click S
ubmit.

Challenge Questions:

1. Why did we use plugin ID 19506?

2. If you were performing weekly scanning, how might you change this asset list?

1. Click A
ssets.

2. Click +Add.

3. Click D
ynamic in the Custom s ection.

4. Type H
osts with critical vulnerabilities i n the Name field.

5. Mouse over “Any of the following are true:”

6. Click A
dd Rule.

7. Click the P
lugin ID drop-down, and then select S
everity.

8. Click the I nfo drop-down, and select Critical.

9. Click the c heck mark.

10. Click S
ubmit.

Challenge Questions:

1. Why didn’t we set the plugin ID value when we were defining the severity?

2. What is the critical rating based upon?

Part 3: Task 3 - Create Combination Asset List to Identify Newly Discovered Hosts with
Critical Vulnerabilities
Create a combination asset list using the newly discovered hosts and hosts with critical vulnerabilities to
identify newly discovered hosts with critical vulnerabilities.

Step-by-step instructions:

1. Click A
ssets.

2. Click +
Add.

3. Click C
ombination in the C
ustom section.

4. Type N
ewly discovered hosts with critical vulnerabilities in the N
ame.

5. Type N
ewly in the Combination f ield (Do not copy/paste).

6. Select N
ewly Discovered Hosts.

7. Press the spacebar, and then select A

nd.

8. Press the space bar, and then type H

osts.

9. Select H
osts with critical vulnerabilities.

10. Click S
ubmit.

1. Is there another way we could have created this asset list?

2. If you used this filter in the analysis window, would you only see newly discovered critical
vulnerabilities?

Optional Advanced Problems

This section is optional and can be completed during any free time you may have available while taking this
course.

TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 10:00 MINUTES

Task 1 - Asset List Based on VPR
Create an asset list of Hosts with a vulnerability of VPR 9 or higher.

Task 2 - Asset List of Unscanned Hosts
Create an asset list of hosts that have not been scanned in the last 30 days.

Task 3 - Assets with Port 80 or Port 443 Open that are Running Windows
Create an asset list of hosts with port 80 or port 443 open that are running Microsoft Windows.

End of Exercises

Part 1: Task 1
1. Click the triangular launch icon to the right of active-scanning. How many web servers were detected?
● 132 (this may be higher due to evolutions of the lab environment)
2. Does this number appear reasonable given the number of hosts identified in your vulnerability scans
from Lab 10?
● No. The original vulnerability scans had less than 20 hosts.

Part 1: Task 2
1. How many web servers were detected in HQ?
● 4 (this may be slightly higher due to evolutions of the lab environment)
2. Click the triangle to the right of active-scanning. What IP addresses at HQ have web servers?
● 10.0.2.5, 10.0.2.99, 10.0.2.244, 10.0.2.248 (may also include 10.0.2.245 & .246)

Part 1: Task 3
1. How many SMTP servers were found in the HQ range of 10.0.2.0/24?
● 2
2. How would you create an asset list just listing the SMTP servers in the HQ range?
● Do a combination asset list of “SMTP Servers” AND “companyname-hq”

Part 2: Task 1
1. Were there any Windows 10 hosts in the company-hq network that we have scanned? (10.0.2.0/24)
● Yes

Part 3: Task 1
1. Why did we use plugin ID 19506?
● Plugin ID 19506 is Nessus scan information, and is contained in every scan. It’s a good Plugin ID
to use to identify discovered hosts.
2. If you were performing weekly scanning, how might you change this asset list?
● Change the less than 2 value to less than 8.

Part 3: Task 2
1. Why didn’t we set the plugin ID value when we were defining the severity?
● We want to identify any plugin with a critical severity, not a specific one.
2. What is the critical rating based upon?
● CVSS v2 score 9-10

Part 3: Task 3
1. Is there another way we could have created this asset list?
● Yes, we could have created one asset list that had both the newly discovered hosts and hosts
with critical severity queries in one asset list.
2. If you used this filter in the analysis window, would you only see newly discovered critical
vulnerabilities?
● No, you’d see all vulnerabilities in hosts that are newly discovered and have a critical
vulnerability.

Lab Exercise 13: Analysis

Important note: I n this module, you will be using the pre-populated Tenable.sc in your lab environment.
From the email, use the link to the right of Tenable.sc (Scan Manager) with the username of s can manager.
DO NOT use the link to the right of Tenable Core + Tenable.sc.

In this lab, you will learn how to use the Vulnerability Analysis tools and filters, and how to save queries for
later retrieval and use.

At the end of this exercise, you will be able to:
● Use the filter to identify important security data
● Use date-based filtering to identify both older and newly discovered vulnerabilities
● Use the Analysis tool to sort the data based upon need
● Perform impact analysis using CVSS vector analysis

If you complete the advanced topics, you will be able to:
● Use CPE analysis
● Perform complex multi component analysis

TOTAL ESTIMATED LAB TIME: 30:00 MINUTES

Part 1 - Vulnerability Prioritization
You have completed vulnerability and compliance assessments of the network. You want to identify high and
critical vulnerabilities using traditional CVSS scoring and then create a query of critical vulnerabilities using
VPR scoring. Then create a query of critical vulnerabilities discovered in the last week.

Part 1: Task 1 - Create and Save a Query of Critical and High Vulnerability Items
Create a query of critical and high vulnerabilities and save it as a query.

Step-by-step Instructions:

1. Click A
nalysis and select V
ulnerabilities.

2. Click the >

> on the upper left to open the filters.

3. Click A
ll underneath Severity.

4. Check the boxes next to High and Critical.

5. Click O
K.

6. Click A
pply All.

7. Click the <

< on the upper left to close the filters.

8. Click O
ptions.

9. Click S
ave Query.

10. In the Name box type High and Critical Vulnerabilities.

11. In the Tag b

ox type Priorities.

12. Click S
ubmit.

13. Click >

>o
n the upper left to open the filters.

15. Click L
oad Query.

16. Select the radio button to the left of H

igh and Critical Vulnerabilities.

17. Click A
pply.

18. Look in the upper right corner and note the number to the right of Total Results.

19. Click V
ulnerability Summary.

20. Select V
ulnerability list.

21. Look at the number to the right of T

otal Results and compare it to the one you saw in step 17.

22. Click L
oad Query.

23. Select H
igh and Critical Vulnerabilities and click Apply.

24. Click O
ptions a
nd then click V
iew Settings.

25. Uncheck the box next to P

lugin ID.

26. Uncheck the box next to F amily.

27. Click S
ubmit.

28. Click A
nalysis and select Q
ueries.

Challenge Questions:

1. Look at the list of queries. Do you see anything unexpected?

2. Go back and think about Steps 17 and 20 and the vulnerability counts? What is the difference between
Vulnerability Summary and Vulnerability List?

Part 1: Task 2 - Create and Save a Query of VPR 9 or Higher Items
You watched Tenable’s webinar on the Vulnerability Priority Rating (VPR) rating system, and would like to
develop a query that extracts Critical (9 or higher) VPR items.

Step-by-step Instructions:

1. Click A
nalysis and select V
ulnerabilities.

2. Click the >

> on the upper left to open the filters.

3. If there are any filters shown, click C

lear Filters.

4. Click S
elect Filters.

5. In the search box type P

riority

6. Click the check box to the left of V

ulnerability Priority Rating a
nd click Apply.

7. Click A
ll underneath Vulnerability Priority Rating.

8. Click the drop-down labeled A

ll and select Custom Range.

9. Replace the 0 to the right of Between with 9, so the statement reads “Between 9 and 10”.
COPYRIGHT 2021 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG
CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, TENABLE.OT, LUMIN, INDEGY, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE,
INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.
2
10. Click O
K.

11. Click A
pply All.

12. Click the <

< on the upper left to close the filters.

13. Click O
ptions and Save Query.

14. In the Name b

ox, delete any text that is there and type VPR 9 or Higher Items

15. From the T

ag drop-down select P
riorities.

16. Click S
ubmit.

17. Click the top item in the list.

18. Click V
ulnerability List and select Vulnerability Detail List.

Challenge Questions:

1. Scroll down to the Vulnerability Priority Rating (VPR) Key Drivers. What is the Product Coverage? What
does that mean?

2. Scroll up to the section labeled Exploit Information. Are there any tools that can exploit this
vulnerability? If so, what are they?

Part 1: Task 3 - Create and Save a Query of Vulnerabilities Discovered in the Last Week
Create and schedule a weekly report that reports on all vulnerabilities discovered in the last week.

Step-by-step Instructions:

1. Click A
nalysis and select V
ulnerabilities.

2. From the V
ulnerability Analysis d
rop-down list, select V
ulnerability List.

3. Click the >

> on the upper left to open the filters.

4. If C
lear Filters is shown, click C
lear Filters.

5. Click S
elect Filters.

6. In the search box, type d

iscovered

7. Click the box to the left of Vulnerability Discovered.

8. Click A
pply.

9. Click A
ll underneath V
ulnerability Discovered.

10. Click the drop-down labeled A

ll and select Within the last 7 days.

11. Click O
K.

12. Click A
pply All.

13. Click V
ulnerability List a
nd select Vulnerability Summary.

14. Click the <

< on the upper left to close the filters.

15. Click O
ptions a
nd select Save Query.

17. From the T

ag drop-down select P
riorities.

18. Click S
ubmit.

Challenge Questions:

1. Does this list show just vulnerabilities discovered in the last 7 days?

2. What can you do to fix this query so it only shows vulnerabilities that have been around for more than
7 days?

Part 2 - Remediation Analysis
Generate a list of MS bulletins and related actions.

Part 2: Task 1 - Create and Save a Query of all MS Bulletins, CVEs and Remediation Actions
Using Analysis tools, create and save queries for MS Bulletins, CVEs and Remediation actions.

Step-by-step Instructions:

1. Click A
nalysis a
nd select Vulnerabilities.

2. Click the >

> on the upper left to open the filters.

3. If C
lear Filters is shown, click C
lear Filters.

4. Click the <

< on the upper left to close the filters.

5. From the V
ulnerability Analysis d
rop-down list, select MS Bulletin Summary.

6. Click O
ptions and select Save Query.

7. In the Name b
ox, type MS Bulletins

8. In the Tag b
ox, type Microsoft Information

9. Click S
ubmit.

Challenge Questions:

1. Look at the first entry underneath MS Bulletin Summary. What does the two digit number represent?

2. If you wanted to show only MS Bulletins for the year 2019, what would you do?

Part 2: Task 2 - Create and Save a Query of CVEs

Step-by-step Instructions:

1. Click A
nalysis and select V
ulnerabilities.

2. Click the >

> on the upper left to open the filters.

4. Click the <

< on the upper left to close the filters.

5. From the V
ulnerability Analysis d
rop-down list, select C
VE Summary.

6. Click O
ptions and select Save Query.

7. In the Name b
ox, type CVE List.

8. Click the box next to T

ag and type CVE.

9. Click S
ubmit.

Challenge Questions:

1. Scroll down the list and look for CVE-2017-5715 in the left column and click it. What plugin searches for
this CVE?

2. If you wanted to look for this particular vulnerability, but only in Windows 10 hosts, what would you
do?

Part 2: Task 3 - Create and Save a Query of Remediation Actions

Step-by-step Instructions:

1. Click A
nalysis and select V
ulnerabilities.

2. Click the >

> on the upper left to open the filters.

3. If C
lear Filters is shown, click C
lear Filters.

4. Click the <

< on the upper left to close the filters.

5. From the V ulnerability Analysis d

rop-down list select Remediation Summary. N
ote: Depending on the
Vulnerability Analysis state at the end of the last Challenge Questions, you may have to choose the
left-most Vulnerability Analysis item.

6. Click O
ptions and select Save Query.

7. In the Name b
ox, type Remediations

8. Click the box next to T

ag and type Patches

9. Click S
ubmit.

10. Click the g

ear icon to the right of the first item on the list and select CVE Summary for Solution.

Challenge Questions:

1. How many unique CVEs does this patch fix?

2. Click Remediation Summary to the left of CVE Summary. Look at the number underneath CVEs for the
first item. Is it the same number that you got in question number 1? If not, why is it different?

1. Click A
nalysis a
nd select Vulnerabilities.

2. From the V
ulnerability Analysis d
rop-down list, select V
ulnerability Summary.

3. Click the >

> on the upper left to open the filters.

4. Click S
elect Filters.

5. In the search box, type c vss.

6. Check the box next to CVSS v2 Vector.

7. Click A
pply.

8. Click A
ll underneath CVSS v2 Vector.

9. Type C
:C

10. Click O
K.

11. Click A
pply All.

12. Click O
ptions and select Save Query.

13. In the Name b

ox type Confidentiality Vulnerabilities CVSS v2

14. Click S
ubmit.

Challenge Questions:

1. Are all the vulnerabilities that are listed critical vulnerabilities?

2. Why would a vulnerability that allows for theft of data not be a critical vulnerability?

Part 3: Task 2 - Create a Query of CVSS v3 High Confidentiality Issues
Using CVSS v3 filtering, create a query that shows CVSS v3 Confidentiality:High vulnerabilities.

Step-by-step Instructions:

1. Click A
nalysis a
nd select Vulnerabilities.

2. Click the >

> on the upper left to open the filters.

3. Click C
lear Filters.

4. Click S
elect Filters.

5. In the Search box, type c vss

7. Click A
pply.

8. Click A
ll underneath CVSS v3 Vector.

9. Type C
:H

10. Click O
K.

11. Click A
pply All.

12. Close the F ilters panel.

13. Click O
ptions and Save Query.

14. Click the box to the right of N

ame and type Confidentiality Vulnerabilities CVSS v3

15. Click S
ubmit.

Challenge Questions:

1. Are the vulnerability counts the same as the previous filter?

2. If you filtered on CVSS v2 vector and CVSS v3 vector, could you combine these results?

Optional Advanced Problems

This section is optional and can be completed during any free time you may have available while taking this
course.

TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 10:00 MINUTES

Task 1 - Impact-Based Prioritization
Identify Confidentiality vulnerabilities with a VPR 9 or higher and save that as a query.

Task 2 - Denial of Service in Web Servers
Create and save a query of Denial of Service (DoS) vulnerabilities in web servers.

Task 3 - CPE Filtering
Create a series of queries to identify confidentiality vulnerabilities in Firefox based upon CVSS v2, CVSS v3 and
Application CPE filtering.

End of Exercises

COPYRIGHT 2021 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG
CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, TENABLE.OT, LUMIN, INDEGY, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE,
INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.
7
Answer Key

Part 1: Task 1
1. Look at the list of queries. Do you see anything unexpected?
● Yes, we see two instances of the “High and Critical Vulnerabilities” query with the same name
but different tags. When we save a query, even if it is a query with the same name as an
existing query, it creates a new query.
2. Go back and think about Steps 17 and 20 and the vulnerability counts? What is the difference between
Vulnerability Summary and Vulnerability List?
● Vulnerability Summary is a list of vulnerabilities and the number of instances or hosts that
have that vulnerability. For example, if we have four hosts with the same vulnerability, you will
see one line. Vulnerability list is a complete list of vulnerabilities, so if two hosts have the
same vulnerability, it will appear twice in this list.

Part 1: Task 2
1. Scroll down to the Vulnerability Priority Rating (VPR) Key Drivers. What is the Product Coverage? What
does that mean?
● The answer will depend upon what vulnerability you selected. It can be; 1) Low, 2) Medium, 3)
High, or 4) Very High. This item indicates the number of unique products affected by the
vulnerability.
2. Scroll up to the section labeled Exploit Information. Are there any tools that can exploit this
vulnerability? If so, what are they?
● The answer to this will depend upon the vulnerability. If there are any items in this section, it
will indicate what applications can be used to actually test the existence of the vulnerability.
Examples include Canvas, Core Impact, Metasploit and malware. With respect to Metasploit, it
will enumerate the payload that should be used.

Part 1: Task 3
1. Does this list show just vulnerabilities discovered in the last 7 days? If not what else is it showing?
● No, it also shows informational items and compliance items.
2. What can you do to fix this query so it only shows vulnerabilities that have been around for more than
7 days?
● Change Within the last 7 days to More than 7 days ago in the Vulnerability Discovered filter.

Part 2: Task 1
1. Look at the first entry underneath MS Bulletin Summary. What does the two digit number represent?
● The year
2. If you wanted to show only MS Bulletins for the year 2019, what would you do?
● Open the filter and create a filter on MS Bulletin ID with a value of MS19. Note: You do not need
to use a wildcard for this filter; it treats any filter here as contains.

Part 2: Task 2
1. Scroll down the list and look for CVE-2017-5715 in the left column and click it. What plugin searches for
this CVE?
● Nessus plugins search for this vulnerability; however, there are also many passive plugins that
search for it as well. We can tell that the Nessus plugin is 105616 because it is the only plugin
that looks specifically for the vulnerability described in the CVE and not additional
vulnerabilities or combinations. We know some of the other plugins are passive by looking at
the plugin family.
2. If you wanted to look for this particular vulnerability, but only in Windows 10 Hosts, what would you
do?
● Filter these results on the Windows 10 asset list.

Part 2: Task 3
1. How many unique CVEs does this patch fix?
● This answer will depend upon the Remediation action that is selected. It can be located by
looking at the number to the right of Total Results in the upper right corner.

Lab Exercise 14: Dashboards

1. Click D
ashboard and select Dashboard.

2. Click O
ptions and select Add Dashboard.

3. Type V
PR in the S
earch Templates box, and press Enter.

4. Click the arrow to the right of VPR Summary.

5. Scroll down to S
chedule and click E
very day at.

6. Select 0
8:00 from the Time d
rop-down list.

7. Click A
dd.

8. Wait for the dashboard to populate. If any object does not populate, mouse over its t itle bar, click the
gear icon in the upper right corner and select R
efresh.

Challenge Questions:

1. Look at the component VPR Summary - CVSS to VPR Heat Map. When prioritizing remediation
activities, which cell of the chart is the one that should be considered first?

2. Click the cell in the lower right corner of VPR Summary - CVSS to VPR Heat Map. Click Vulnerability List
and change the Analysis Tool to V ulnerability Summary. How many unique vulnerabilities have a VPR
score of 9 or higher, and have a CVSS score of 9 or higher?

1. Click D
ashboard and select Dashboard.

2. Click O
ptions and select Add Dashboard.

3. Type S
LA’s Dashboard in the S
earch Templates box.

4. Click the a
rrow to the right of G
etting Started with Tenable.sc Using SLA’s.

5. Scroll down to Schedule and click Every day a

6. Select 0
8:00 from the Time drop-down list.

7. Click A
dd.

8. Wait for the dashboard to populate. If any object does not populate, mouse over the t itle bar, click the
gear icon in the upper right corner and select R
efresh.

Challenge Questions:

1. In the left column, look at the component in the upper left corner titled SLA Progress - Unmitigated
Vulnerabilities. Look to the right at the top chart in the middle column SLA Progress - Unmitigated
Vulnerabilities by VPR Score. Is there a difference in these charts? If so, what is the difference?

2. Which of these two charts uses probability of compromise in its severity calculation?

Part 1: Task 3 - Modify the SLA Progress
Components of templates can be modified to meet specific needs. In this task you will change the time
frame for SLAs.

Step-by-step Instructions:

1. In the middle column, the first component is titled S LA Progress - Unmitigated Vulnerabilities by VPR
Score. Mouse over the t itle bar, click the g
ear icon on the right and select Edit.

2. Change the Critical SLA to 7 days. Mouse over the first column second row, C
ritical (SLA 3 Days), click
the g
ear i con and select Edit Header.

3. In the Label box, change the number 3 to 7.

4. Click S
ubmit.

5. The third column is labeled O

verdue. Click the cell underneath O
verdue.

6. Look for the line under Filters labeled V

ulnerability Discovered. Mouse over this row and click the
pencil icon.

7. To the right of the word B

etween, change the number 3 to the number 7 .

9. Click S
ubmit.

10. Click S
ubmit.

11. Wait for the dashboard to refresh.

Challenge Questions:

1. Look at the SLA Progress - Unmitigated Vulnerabilities by VPR Score component. Is there anything
wrong with this chart? If so, what?

2. What should we change about this chart?

Part 1: Task 4 - Adjust the SLA Progress
Correct the second cell, first row of the SLA Progress component in the middle column so that the filter is
0-7 days instead of 0-3 days.

Step-by-step Instructions:

1. In the middle column, the first component is titled S LA Progress - Unmitigated Vulnerabilities by VPR
Score. Mouse over the t itle bar, click the g
ear icon on the right and select Edit.

2. The first row, second column is labeled Within SLA. Click the cell directly underneath Within SLA.

3. Locate the line under the filter labeled V

ulnerability Discovered. Mouse over this row and click the
pencil icon.

4. To the right of the word B

etween, change the number 3 to the number 7 .

5. Click the c heck mark on the right.

6. Click S
ubmit.

7. Click S
ubmit.

8. Wait for the dashboard to refresh.

Challenge Questions:

1. Does the chart look right now?

2. What other components of this dashboard do we need to change with this different SLA?

Part 1: Task 5 - Deploy the CVSS Base Risk Host Matrices Dashboard

Step-by-step Instructions:

1. Click O
ptions and select Add Dashboard.

2. In the Search Templates box, type CVSS Base Risk Host Matrices and press Enter.

3. Click the a
rrow to the right of C
VSS Base Risk Host Matrices.

4. Scroll down to S
chedule and click E
very day at.

6. Click A
dd.

7. Wait for the dashboard to populate. If any object does not populate, mouse over the t itle bar, click the
gear icon in the upper right corner and select R
efresh.

Challenge Questions:

1. What components on this dashboard break down vulnerabilities based upon impact?

2. What is the difference between the two?

Part 2 - Custom Dashboards
Custom dashboards can be created using pre-existing component templates, copied components or newly
created components. In this section we will create a custom dashboard.

Part 2: Task 1 - Create a Dashboard
Create a dashboard with one narrow column and one wide column with these four components focused on
HQ. Name the dashboard “Companyname-HQ”.

Step-by-step Instructions:

1. Click O
ptions and select Add Dashboard.

2. Under the C
ustom area, click A
dvanced.

3. In the Name b
ox, type Companyname-HQ

4. To the right of Layout, click the fifth item (one narrow and one wide column).

5. Click S
ubmit.

Challenge Questions:

1. When creating dashboards, what are narrow columns good for?

2. When creating dashboards, what are wide columns good for?

Part 2: Task 2 - Copy an Existing Component
Copy the vulnerability trending component to the companyname-HQ dashboard and restrict it to the
companyname-hq asset list.

Step-by-step Instructions:

1. Click D
ashboard and select D
ashboard.

2. Click S
witch Dashboard and select VPR Summary.

3. Locate the component V PR Summary - Vulnerability Trending over the last 90 days and click the g
ear
icon in the upper right corner of the component.

4. Select C
opy.

6. Click C
opy.

7. Click S
witch Dashboard and select Companyname-HQ.

8. Click the g
ear icon in the upper right corner of Copy of VPR Summary - Vulnerability Trending over the
last 90 days a nd select Edit.

9. Click the box to the right of N

ame and replace C
opy of with HQ

10. Mouse over V

PR 0.0 - 3.9 and click the pencil icon.

11. Click A
dd Filter.

12. Click S
elect a Filter a
nd select Asset.

13. Click the box to the right of A

sset and type Companyname

14. Select the Companyname-hq asset list.

15. Click the c heck mark to the right.

16. Click S
ubmit.

17. Mouse over V

PR 4.0 - 6.9 and click the pencil icon.

18. Click A
dd Filter.

19. Click S
elect a Filter a
nd select Asset.

20. Click the box to the right of A

sset and type Companyname

21. Select C
ompanyname-hq.

22. Click the c heck mark to the right.

23. Click S
ubmit.

24. Mouse over V

PR 7.0 - 8.9 and click the pencil icon.

25. Click A
dd Filter.

26. Click S
elect a Filter a
nd select Asset.

27. Click the box to the right of A

sset and type Companyname

28. Select C
ompanyname-hq.

29. Click the c heck mark to the right.

30. Click S
ubmit.

31. Mouse over V

PR 9.0 - 10 and click the pencil icon.

32. Click A
dd Filter.

33. Click S
elect a Filter a
nd select Asset.

34. Click the box to the right of A

sset and type Companyname

35. Select C
ompanyname-hq.

37. Click S
ubmit.

38. Click S
ubmit.

Challenge Questions:

1. Is there a faster way to create this component?

2. When might you choose to use the copy function rather than using a pre-existing component
template?

Part 2: Task 3 - Add Components to Dashboard
The Security team would like this dashboard to focus on HQ, with the following components:
1. CVSS to VPR Heat Map
2. Unmitigated Vulnerabilities by VPR Score
3. CVSS Base Risk Host Matrix - Confidentiality (C), Availability (A), Integrity (I) Impact Risk Ratios

Step-by-step Instructions:

1. Click S
witch Dashboard and select Companyname-HQ.

2. Click O
ptions and select Add Component.

3. In the Search Templates box, type “VPR Heat Map” (with quotation marks) and press E
nter.

4. Click the a
rrow to the right of the line labeled V
PR Summary - CVSS to VPR Heat Map.

5. Click the drop-down list to the right of Targets and select Assets.

6. In the Search box, type c ompanyname

7. Select the radio button next to Companyname-hq.

8. From the R
epositories drop-down list, select (check) active-scanning.

9. To the right of Schedule c lick Every day at.

10. Select 0
7:00 from the T
ime drop-down list.

11. Click A
dd.

12. Repeat steps 2-11 for the following components:

a. Unmitigated Vulnerabilities by VPR Score

b. CVSS Base Risk Host Matrix - Confidentiality (C), Availability (A), Integrity (I) Impact Risk Ratios
Note: Don’t forget to use quotation marks when searching for dashboard templates.

Challenge Questions:

1. What other approaches are there to creating individual components on dashboards?

2. Why didn’t we just copy the component(s) from the existing dashboards onto the new dashboard?

1. Click S
witch Dashboard and select Companyname-HQ.

2. Click O
ptions and select Add Component.

3. Click P
ie Chart.

4. Type C
ompliance i n the Name box.

5. Click the box to the right of T

ool and select S
everity Summary.

6. Click +
Add Filter to the right of F ilters.

7. Click S
elect a Filter and select P
lugin Type.

8. Next to P
lugin Type, select Compliance.

9. Click the c heck mark to the right.

10. Click +
Add Filter and select A
sset.

11. Type c ompanyname-hq in the A

sset box.

12. Click c ompanyname-hq underneath the box.

13. Click the c heck mark on the right.

14. Click R
esults Displayed and select 5
.

15. Click S
ubmit.

16. Wait for the component to update.

Challenge Questions:

1. How can you move this pie chart to a different column?

2. How can you find out the absolute value for compliance failures?

Optional Advanced Problems

This section is optional and should be completed before or after class as you may not have enough time to
complete it during the normal lab time.

TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 30:00 MINUTES

Task 1 - Create Matrix that Shows VPR 9 or Higher Vulnerability Counts
Create a matrix that shows VPR 9 or higher vulnerability counts for the following applications and operating
systems: 1) Windows 2) Ubuntu 3) Firefox 4) Chrome.
Hint: you can use plugin name or CPE information to create this matrix.

Task 2 - Create a Matrix That Shows Vulnerabilities
Create a matrix that shows vulnerabilities broken down by date discovered for the following time frames:
1) 0-7 days 2) 7-30 days 3) 31+ days
Hint: Use multiple vulnerability discovered filters in this task.

End of Exercises

Part 1: Task 1
1. Look at the component “VPR Summary - CVSS to VPR Heat Map”. When prioritizing remediation
activities which cell of the chart is the one that should be considered first?
● Typically you will want to start in the lower right corner (VPR 9-10 and CVSS 9-10)
2. Click the cell in the lower right corner of VPR Summary - CVSS to VPR heat map. Click Vulnerability List
and change the Analysis Tool to Vulnerability Summary. How many unique vulnerabilities have a VPR
score of 9 or higher, and have a CVSS score of 9 or higher?
● The answer will vary, however what is important to note is when changing to the Vulnerability
summary tool, the number goes down, because there are several hosts that have the same
vulnerability.
3. Click the >> in the upper left corner to open the filter. Then click the x in the upper right corner of
Vulnerability Priority Rating. Click Apply All. How many unique vulnerabilities have a Critical
vulnerability rating? How does this compare to the # in step 2? What does this mean?
● By eliminating the VPR as part of the filter, the unique vulnerability count should increase
significantly. This means that this network has several critical vulnerabilities that are unlikely
to be used as a point of compromise. In terms of prioritization, these vulnerabilities should
have a lower priority rating when compared with the ones identified in Step 2.

Part 1: Task 2
1. In the left column look at the component in the upper left corner titled “SLA Progress - Unmitigated
Vulnerabilities.” Look to the right at the Top chart in the middle column “SLA Progress - Unmitigated
Vulnerabilities by VPR Score”. Is there a difference in these charts? If so, what is the difference?
● The chart on the left determines SLA level based upon CVSS vulnerability, vs. the one in the
middle column uses Vulnerability Priority Rating. The SLA’s differ with Critical SLA 30 days vs.
Critical SLA 3 Days, High 60 vs. 10 Days, and Medium 90 vs. 30 Days.
2. Which of these two charts uses probability of compromise in its severity calculation?
● The one in the middle. CVSS, as part of its severity calculation, does not include probability of
compromise. Vulnerability Priority Rating does.

Part 1: Task 3
1. Look at the SLA Progress - Unmitigated Vulnerabilities by VPR Score Component. Is there anything
wrong with this chart? If so, what?
● In the first row, the Total Vulnerabilities should be the sum of Within SLA and Overdue. It is
less.
2. What should we change about this chart?
● The second value in the first row, Within SLA has a rule that is 0-3 days. With the requested
change, this needs to be 0-7.

Part 1: Task 4
1. Does the chart look right now?
● Yes
2. What other components of this dashboard do you need to change with this different SLA?
● There are several charts that need to be updated, including; 1) Mitigated Vulnerabilities, 2)
Mitigated Vulnerabilities by VPR score and 3) Unmitigated Vulnerabilities

Part 1: Task 5
1. What components on this dashboard break down vulnerabilities based upon impact?
● The top two components in the right column both break down vulnerabilities based upon
Impact if compromised.
2. What is the difference between the two?
● The first chart includes raw vulnerability counts, the second chart is based upon percentage of
vulnerabilities.

Part 2: Task 1
1. When creating dashboards, what are narrow columns good for?

2. When might you choose to use the copy function rather than using a pre-existing component
template?
● If you have designed a custom component that you want to replicate, or if you’ve modified a
component template and want to keep those modifications in another component.

Part 2: Task 3
1. What other approaches are there to creating individual components on dashboards?
● 1) Creating a custom component by hand, 2) Copying a component from one dashboard to
another.
2. Why didn’t we just copy the component(s) from the existing dashboards onto the new dashboard?
● The companyname-HQ dashboard needs all components created with a focus of the asset list
companyname-HQ. There is no way when copying a component to change its focus. For all
items in the component. If we had copied the component, we would have had to edit every cell
inside each matrix. It was faster just to re-deploy the component with the component focused
on the asset list at the beginning.

Part 2: Task 4
1. How can you move this pie chart to a different column?
● Drag and drop the component into the column you want.
2. How can you find out the absolute value for compliance failures?
● Mouse over the pie chart and then move over to the orange (High) item.

Lab Exercise 15: Reports

Important note: I n this module, you will be using the pre-populated Tenable.sc in your lab environment.
From the email, use the link to the right of Tenable.sc (Scan Manager) with the username of s can manager.
DO NOT use the link to the right of Tenable Core + Tenable.sc.

In this lab, you will deploy and modify reports from templates, and create custom objects and custom items.

At the end of this exercise, you will be able to:
● Deploy a report from the Analysis window
● Deploy a report from a dashboard
● Deploy a report from a template
● Modify a report built from a template
● Insert a custom object in a report
● Create a custom report item

If you complete the advanced topics, you will be able to:
● Create custom components in a report
● Create a host-by-host report with custom items using the Iterator

TOTAL ESTIMATED LAB TIME: 55:00 MINUTES

Part 1 - Create a Report From the Analysis Window and From the Dashboard
You have been doing analysis and have found some vulnerabilities you want to send to a coworker. In this
section we will create a report from the Analysis window. You’ve also seen some items on a dashboard that you
think warrant attention.

Part 1: Task 1 - Launch a Report From the Analysis Window
Filter on VPR 9 or higher items in the analysis window, and generate a VPR Summary report.

Step-by-step Instructions:

1. Click A
nalysis a
nd select Vulnerabilities.

2. Click >
> in the upper left to open the filters.

3. If it is shown, click Clear Filters.

4. Click S elect Filters and confirm that the V ulnerability Priority Rating filter is checked. If it is not, select
the c heck box to the left of V
ulnerability Priority Rating.

5. Click A
pply.

6. Click A
ll underneath Vulnerability Priority Rating.

7. Click A
ll and select C
ustom Range.

8. Replace the 0 with a 9

9. Click O
K and click Apply All.

10. Click <

< to close the filters.

11. Click the A

nalysis Tool drop-down list and select V
ulnerability Summary if it is not selected.

12. Click O
ptions and select Export as PDF.

14. Click the 1 0 to the right of R

esults Displayed and select A
ll.

15. If it is checked, uncheck the box to the left of Family.

16. Uncheck the box to the left of Severity.

17. Uncheck the box to the left of Total.

18. Check the box to the left of H

ost Total.

19. Click S
ubmit.

20. Click R
eporting a
nd select Report Results. Wait for the report to finish.

21. Click the download button to the right of the VPR 9 or higher items r eport results.

22. Open the downloaded file in a PDF viewer.

Challenge Questions:

1. What column did this report sort on?

2. Did this report save as a template you can rerun?

Part 1: Task 2 - Create a Report from a Dashboard
Convert the VPR Summary dashboard to a report.

Step-by-step Instructions:

1. Click D
ashboard and select D
ashboard.

2. Click S
witch Dashboard and select VPR Summary.

3. Click O
ptions and select Send to Report.

4. Click S
ubmit.

5. Click R
eporting a
nd select Report Results.

6. Note whether the report is running.

7. Click R
eports.

8. Click the L
aunch button to the right of the VPR Summary l ine.

9. Click R
eport Results.

10. Wait for the report to finish.

Challenge Questions:

1. If you wanted to use the graphics on this dashboard, but add contents and move some of them, what
would you do?

2. How many chapters did this report create and what were they named?

1. Click R
eporting and select R
eports.

2. Click +
Add in the upper right corner.

3. In the Search Templates box, type VPR Summary a

nd press Enter.

4. Click the arrow to the right of Executive VPR Summary Report.

5. Click A
dd.

6. Click the g
ear icon to the right of E
xecutive VPR Summary Report and select E
dit.

7. Click O
n Demand to the right of S
chedule.

8. Click O
n Demand underneath Frequency and select M
onthly.

9. Click the box underneath Time and select 09:00.

10. In the Day box, enter the first day of next month (ex: 1 0/1/2020).

11. Click S
ubmit.

12. Click the L

aunch button to the right of E
xecutive VPR Summary Report.

13. Click R
eport Results and wait for the report to finish.

14. Click the D

ownload button to the right of Executive VPR Summary Report to view the results. When the
file downloads, open it with a PDF reader.

Challenge Questions:

1. If you wanted to eliminate the chapter called A

bout this Report, how would you do it?

2. If you wanted this same report, but only for Windows hosts, how would you do it?

Part 2: Task 2 - Remediation Instructions by Host Report
The System Administrators at HQ would like a report that provides a list of patches for their hosts. Prepare a
report using the Remediations Instructions by Host report, setting the focus range to the asset list
companyname-hq.

Step-by-step Instructions:

1. Click R
eporting and select R
eports.

3. In the Search Templates box, type “Remediation Instructions by Host” ( with the quotes) and press
Enter.

4. Click the a
rrow to the right of R
emediation Instructions by Host Report.

5. Click A
ll Systems to the right of T
argets and select A
ssets.

6. Select the radio button to the left of C

ompanyname-hq.

7. In the box to the right of R

epositories, select the checkbox to the left of active-scanning.

8. Click A
dd.

9. Click the L
aunch button to the right of R
emediation Instructions by Host Report.

10. Click R
eport Results and wait for the R
emediation Instructions by Host Report to finish.

11. Click the d

ownload button to the right of R
emediation Instructions by Host Report. When the report
downloads, open it with a PDF reader.

Challenge Questions:

1. Scan through the report. Are there any sections of the report that are either empty, or are not relevant
to vulnerability remediation? If so, how would you delete them?

2. The Active Remediation Instructions by Host chapter provides a table of Top 20 Hosts. How would you
change this to be the top 10 hosts?

Part 2: Task 3 - Edit the Remediation Instructions by Host Report
Remove the references to passive data (PVS or NNM) and compliance from the Remediation Instructions by
Host report.

Step-by-step Instructions:

1. Click R
eports.

2. Click the g
ear icon to the right of R
emediation Instructions by Host Report and select E
dit.

3. Click D
efinition.

4. Click the p
encil icon to the right of 1.1.1.

5. Replace the following sentence: By leveraging the capabilities of SecurityCenter, Nessus and Passive
Vulnerability Scanner (PVS), security teams can more easily identify hosts with vulnerabilities
requiring remediation in order to more effectively secure their network.
With this text: B
y leveraging the capabilities of Tenable.sc and Nessus, security teams can more easily
identify hosts with vulnerabilities requiring remediation in order to more effectively secure their
network.

6. Click S
ubmit.

7. Click the p
encil icon to the right of 1.1.2.

8. In the box to the right of T

ext, delete “organized by plugin type (Active, Passive, and Compliance) and”

9. Click S
ubmit.

11. In the box to the right of T

ext, delete “Each chapter focuses on a specific plugin type: active, passive,
or compliance. For each type,”. Capitalize the letter T in the word t he to the l eft of 20.

12. Replace the text t hese chapters with t his report.

13. Click S
ubmit.

14. Mouse over the chapter Passive Remediation Instructions by Host and click the trash can i con.

15. Mouse over the chapter Compliance Remediation Instructions by Host and click the t rash can icon.

16. Click S
ubmit.

17. Click the l aunch button to the right of R

emediation Instructions by Host Report.

18. Click R
eport Results and wait for the report to finish.

19. Click the D

ownload button to the right of the newest Remediation Instructions by Host Report
(compare the timestamps) and review the results.

Challenge Questions:

1. If you wanted to change this new report to report on only hosts in headquarters, how would you do
that?

2. If you wanted to email this report right now to someone, how would you do it?

Part 2: Task 4 - Mitigation Summary Report
The Security team is getting pressure to measure how quickly vulnerabilities are being mitigated. Create a
report using the mitigation summary template.

Step-by-step Instructions:

1. Click R
eports.

2. Click +
Add.

3. Click the box labeled Search Templates and type “Mitigation Summary” a
nd press E
nter.

4. Click the arrow to the right of Mitigation Summary Report.

5. Click A
dd.

6. Click the l aunch button to the right of M

itigation Summary Report.

7. Click R
eport Results and wait for the report to finish.

8. Click the D
ownload button to the right of Mitigation Summary Report. When the report downloads,
open it with a PDF reader.

Challenge Questions:

1. There are two tables with Summary by Severity in section 3.2 (Vulnerability Summaries). What is being
used to calculate severity?

2. How would you change this chart to use VPR instead?

1. Click R
eports.

2. Click +
Add in the upper right corner.

3. In the Search Templates box, type “CIS Microsoft Windows Server 2016 v1.1.0” a
nd press E
nter.

4. Click the a
rrow to the right of C
IS Microsoft Windows Server 2016 v1.1.0.

5. Click the box to the right of T

argets and select Assets.

6. Select the radio button to the left of C

ompanyname-hq.

7. In the box to the right of R

epositories, select the check box next to a
ctive-scanning-compliance.

8. Click A
dd.

9. Click the L
aunch button to the right of CIS Microsoft Windows Server 2016 v1.1.0.

10. Click R
eport Results and wait for the report to finish.

11. Click the D

ownload b
utton to the right of CIS Microsoft Windows Server 2016 v1.1.0. When the file
downloads, open it with a PDF reader.

Challenge Questions:

1. Review the report. Is it limited to hosts in HQ?

Part 3 - Report Edits
The Executives have asked that in addition to the material in the previously created report, they would like an
overview of compliance as well. The System Administrators would also like a section in their report that shows
just the remediation of high risk items (VPR 9 or higher).

Part 3: Task 1 - Edit Executive VPR Summary Report
Add a chapter to the end of the Executive VPR Summary report and put in a pie chart showing compliance
passes, failures and advisories.

Step-by-step Instructions:

1. Click R
eports.

2. Click the g
ear icon to the right of E
xecutive VPR Summary Report and select Edit.

3. Click D
efinition.

4. At the bottom of the page, click A

dd Chapter.

5. In the Name b
ox, type Compliance

6. Click S
ubmit.

8. Click P
ie Chart.

9. In the Name box, type C

ompliance

10. Click the box next to T

ool and select S
everity Summary.

11. Click +
Add Filter.

12. Click S
elect a Filter and select P
lugin Type.

13. Select the radio button to the left of C

ompliance.

14. Click the c heck mark.

15. Click S
ubmit.

16. Click S
ubmit.

17. Click the L

aunch button to the right of E
xecutive VPR Summary Report.

18. Click R
eport Results and wait for the report to finish.

19. Click the D

ownload b
utton to the right of the new Executive VPR Summary Report. When the file
downloads, open it with a PDF reader.

20. Scroll to the bottom and view the new pie chart.

Challenge Questions:

1. If you wanted the pie chart to reflect the results of a specific audit file, what would you do?

2. If you wanted to limit the compliance to a specific operating system, what would you do?

Part 3: Task 2 - Edit Remediation Instructions by Host Report
Add a chapter to the end of the Remediation Instructions by Host report. In that chapter, insert a table of
remediation items for VPR 9 or higher items.

Step-by-step Instructions:

1. Click R
eports.

2. Click the g
ear icon to the right of R
emediation Instructions by Host Report and select E
dit.

3. Click D
efinition.

4. Scroll to the bottom and click A

dd Chapter.

5. In the Name b
ox, type VPR 9 or Higher Remediations

6. Click S
ubmit.

7. Mouse over V
PR 9 or Higher Remediations and click Add Element.

8. Click T
able.

9. In the Name b
ox, type Remediation of VPR 9 or Higher Items

10. Click the box to the right of T

ool and select R
emediation Summary.

12. Click S
elect a Filter and select V
ulnerability Priority Rating.

13. Click A
ll and select Custom Range.

14. Replace the 0 to the right of Between with 9.

15. Click the c heck mark to the right.

16. Scroll to the bottom and click S

ubmit.

17. Click S
ubmit.

18. Click the l aunch button to the right of the R

emediation Instructions by Host Report.

19. Click R
eport Results and wait for the report to finish.

20. Click the D

ownload button to the right of the Remediation Instructions by Host Report. When it
downloads, use a PDF viewer to read it.

Challenge Questions:

1. How would you change the VPR 9 or Higher Remediations table so it only showed remediations that
have been available for more than 30 days?

2. How would you change the VPR 9 or Higher Remediations table so it showed remediations for VPR 9 or
higher vulnerabilities that have been discovered for the first time in the last 7 days?

Optional Advanced Problems

This section is optional and can be completed during any free time you may have available while taking this
course.

TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 75:00 MINUTES

Task 1 - Compliance Failures Report
The Compliance Officers would like to deliver a report of compliance failures and corrections to the System
Administrators for HQ. Create a report that lists compliance failures host-by-host for HQ.

Task 2 - VPR 9 or Higher Host-by-Host Remediation Report
The Security Officers would like a report of hosts with VPR 9 or higher vulnerabilities, followed by a
host-by-host remediation report for those vulnerabilities. Create this report.

End of Exercises

Part 1: Task 1
1. What column did this report sort on?
a. Host Total
2. Did this report save as a template you can rerun?
a. No
Part 1: Task 2
1. If you wanted to use the graphics on this dashboard, but add contents and move some of them, what
would you do?
a. D eploy the dashboard as a report and then edit the report.
2. How many chapters did this report create and what were they named?
a. One, and it has the name of the Dashboard–in this case, VPR Summary

Part 2: Task 1
1. If you wanted to eliminate the chapter called About this Report, how would you do it?
● Edit the report and delete the first chapter.
2. If you wanted this same report, but only for Windows hosts, how would you do it?
● Recreate the report using the same template, but set the focus to the asset list Windows hosts.

Part 2: Task 2
1. Scan through the report, are there any sections of the report that are either empty, or are not relevant
to vulnerability remediation? If so, how would you delete them?
● Yes, there are two sections: one with remediation instructions for Passive Detections and
another for Compliance Remediation instructions, that are not what was asked for. You can
delete the chapters on Passive and Compliance remediation to eliminate this information. You
would also want to edit the opening paragraphs to eliminate the references to NNM and
compliance data.
2. The Active Remediation Instructions by Host chapter provides a table of Top 20 Hosts. How would you
change this to be the top 10 hosts?
● You would edit the Top 20 Host Summary Host Summary so the result displayed is 10 instead
of 20.

Part 2: Task 3
1. If you wanted to change this new report to report on only hosts in headquarters, how would you do
that?
● Use the Find/Update filters feature to add the Asset List companyname-hq in all cases where
the Asset list is not set. I f you deployed from the Template, you would have to go through and
edit and remove all those items again.
2. If you wanted to email this report right now to someone, how would you do it?
● Click the gear icon to the right of the report and select email. If you edited the distribution
section of the report template, the email would only be delivered the next time the report was
run.

Part 2: Task 4
1. There are two tables with Summary by Severity in section 3.2. What is being used to calculate severity?
● CVSS Score is used to identify severity.
2. How would you change this chart to use VPR instead?
● Edit each table and each cell in each table and change the filter for severity with a VPR filter as
appropriate. N ote: There is no VPR option in Update on the Find/Update filters page AND the
Find/Update filter option is global, and cannot be limited to a specific section or chapter.

Part 2: Task 5
1. Review the report. Is it limited to hosts in HQ?
● Yes.

Lab Exercise 16: Assurance Report Cards

Important note: I n this module, you will be using the pre-populated Tenable.sc in your lab environment.
From the email, use the link to the right of Tenable.sc (Scan Manager) with the username of s can manager.
DO NOT use the link to the right of Tenable Core + Tenable.sc.

In this lab, you will deploy Assurance Report Cards from templates, create custom Assurance Report Cards and
import report cards into a report.

At the end of this exercise, you will be able to:
● Create, deploy and import Assurance Report Cards from a template
● Create a custom Assurance Report Card with custom policies
● Import an Assurance Report Card into a report

If you complete the advanced topics, you will be able to:
● Understand the use cases for ratio vs. percentages in policy statements
● Develop a use case for port-based compliance conditions.

Part 1 - Deploy the NIST CSF Vulnerability Assessment Report Card from a
Template
The Security team has expressed interest in the Risk Assessment portions of the NIST Cybersecurity Framework
(CSR) and would like to deploy it and evaluate it daily.

Management has indicated that they would like to get a weekly report card measuring the SLAs for vulnerability
remediation for critical vulnerabilities (14 days) and high vulnerabilities (30 days). They would like this report
card generated as a PDF report.

They have also requested a second report card measuring compliance. In particular, they want to ensure that
70% of all hosts have no compliance issues, and that there are no compliance failures that are more than 60
days old. They would like this evaluated monthly.

TOTAL ESTIMATED LAB TIME: 40:00 MINUTES

Part 1: Task 1 - Create NIST CSF Vulnerability Assessment Report Card from Template
Deploy the NIST CSF Vulnerability Assessment Report Card from the template.

Step-by-step Instructions:

1. Click D
ashboard and select Assurance Report Cards.

2. Click +
Add.

3. In the Search Templates box type CSF

4. Locate CSF IDENTIFY.Risk Assessment (ID.RA) and click the arrow to the right.

5. Click E
very Day to the right of Schedule.

6. Click D
aily underneath F requency. Then select w
eekly.

7. Click the T
ime box and select 08:00.

8. Look underneath R
epeat On and make sure the box for M
is highlighted, and all other boxes are not.
You can change them by clicking them.

9. Click A
dd.

11. Wait for the CSF Identify.Risk Assessment report card to evaluate.

Challenge Questions:

1. Does the organization pass on all items on the report card?

2. Look at the statement for item 1. What changes might need to be made depending upon the Tenable.sc
deployment?

Part 1: Task 2 - Edit the Report Card
The CSF Identify Risk Assessment report contains policy statements using passive data. Remove the passive
data from the query and rephrase the policy statements.

Step-by-step Instructions:

1. Click D
ashboards a
nd select Assurance Report Cards.

2. Click O
ptions a
nd select Manage Arcs.

3. Open the filter by clicking the <

in the upper right corner.

4. Click A
ll underneath N
ame and type CSF

5. Click A
pply.

6. Click the >

to close the filter.

7. Click the g
ear icon to the right of C
SF IDENTIFY.Risk Assessment (ID.RSA) and select E
dit.

8. Mouse over the policy statement 1. At least 80% of actively and passively detected systems have been
scanned in the last 14 days and click the pencil icon on the right.

9. In the Statement box, delete “and passively”.

10. Mouse over the word Asset u

nderneath B
ase Filters and then click the pencil i con on the right.

11. Replace the contents of the A

sset box with “Systems that have been scanned" (remember to include
the quotation marks.)

12. Click the c heck mark on the right.

13. Scroll down and click S

ubmit.

14. Click S
ubmit once more.

Challenge Questions:

1. Why did we change the asset list on the base filter?

2. Will changing this asset list have any impact on the efficiency of the evaluation of this policy
statement?

Part 2: Task 1 - Create the Report Card

Create a report card and the first policy statement - “No vulnerabilities more than 14 days old”.

Step-by-step Instructions:

1. Click D
ashboard.

2. Select A
ssurance Report Card.

3. Click O
ptions.

4. Select A
dvanced Add.

5. Type S
LA Report Card in the box labeled N
ame.

6. Click E
very Day t o the right of S
chedule.

7. Click D
aily underneath F requency.

8. Select W
eekly.

9. Click the box underneath Time a

nd select 9:00.

10. Look underneath R

epeat On and make sure the box for M
is highlighted, and all other boxes are not.
You can change them by clicking them.

11. Click +
Add Policy Statement.

12. Type N
o Critical vulnerabilities more than 14 days old.

13. Click R
atio (X/Y) and select Compliant/Non-Compliant.

14. Click +
Add Filter to the right of Base Filter.

15. Click S
elect a Filter a
nd type Repositories.

16. Click R
epositories.

17. Click the box to the left of Select All.

18. Uncheck the boxes next to Compliance and a

ctive-scanning-compliance.

19. Click the c heck mark to the right.

20. Click +
Add Filter to the right of C
ompliant Filters.

21. Click S
elect Filter u
nderneath Compliant Filter a
nd select Severity.

22. Click the box to the left of Critical.

23. Click the c heck mark to the right.

24. Click +
Add Filter u
nderneath S
everity.

25. Click S
elect a Filter and select V
ulnerability Discovered.
COPYRIGHT 2021 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG
CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, TENABLE.OT, LUMIN, INDEGY, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE,
INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.
26. Click W
ithin the last day and select Custom range.

27. Replace the 0 t o the right of Between with 14.

28. Delete the 1 0 to the right of And.

29. Click the c heck mark.

30. Click A
ll to the left of hosts a
nd select No.

31. Click H
osts and select Vulnerabilities.

32. Click +
Add Filter t o the right of Drill Down Filters.

33. Click S
elect Filter u
nderneath Drill Down Filters a
nd select Severity.

34. Click the box to the left of Critical.

35. Click the c heck mark to the right.

36. Click +
Add Filter underneath Severity.

37. Click S
elect a Filter and select V
ulnerability Discovered.

38. Click W
ithin the last day and select Custom range.

39. Replace the 0 t o the right of Between with 14.

40. Delete the 1 0 to the right of And.

41. Click the c heck mark.

42. Click S
ubmit.

43. Click S
ubmit again.

44. Click D
ashboard.

45. Select A
ssurance Report Cards.

46. Click the t riangle to the right of S

LA Report Card.

Challenge Questions:

1. Has the organization met their SLA for remediation of critical vulnerabilities?

2. Why did we add the Repository filter to the Base in the policy statement?

3. Why didn’t we add the Repository filter to the Compliant condition section?

Part 2: Task 1 - Add the High Vulnerability Policy to the Report Card
Add the “no high vulnerabilities more than 30 days old policy” to the SLA Report Card.

Step-by-step Instructions:

1. Click D
ashboard.

2. Select A
ssurance Report Card.

3. Click O
ptions.

5. Click the g
ear icon to the right of S
LA Report Card. You may need to clear filters.

6. Select E
dit.

7. Click +
Add Policy Statement.

8. Type N
o High vulnerabilities more than 30 days old.

9. Click R
atio (X/Y) and select Compliant/Non-Compliant.

10. Click +
Add Filter t o the right of Base Filter.

11. Click S
elect a Filter a
nd type Repositories

12. Click R
epositories.

13. Click the box to the left of Select All.

14. Uncheck the boxes next to Compliance and a

ctive-scanning-compliance.

15. Click the c heck mark to the right.

16. Click +
Add Filter t o the right of Compliant Filters.

17. Click S
elect Filter u
nderneath Compliant Filter a
nd select Severity.

18. Click the box to the left of High.

19. Click the c heck mark to the right.

20. Click +
Add Filter u
nderneath S
everity.

21. Click S
elect a Filter a
nd select Vulnerability Discovered.

22. Click W
ithin the last day and select More than 30 days ago.

23. Click the c heck mark.

24. Click A
ll to the left of hosts a
nd select No.

25. Click H
osts and select Vulnerabilities.

26. Click +
Add Filter t o the right of Drill Down Filters.

27. Click S
elect Filter u
nderneath Drill Down Filters a
nd select Severity.

28. Click the box to the left of High.

29. Click the c heck mark to the right.

30. Click +
Add Filter u
nderneath S
everity.

31. Click S
elect a Filter a
nd select Vulnerability Discovered.

32. Click W
ithin the last day and select More than 30 days ago.

33. Click the c heck mark to the right.

34. Click S
ubmit.

35. Click S
ubmit.

36. Click D
ashboard.
COPYRIGHT 2021 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG
CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, TENABLE.OT, LUMIN, INDEGY, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE,
INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.
37. Select A
ssurance Report Cards.

38. Click the t riangle to the right of S

LA Report Card.

Challenge Questions:

1. Does the organization meet their SLA for high vulnerabilities?

2. If you wanted to create this same report just for Headquarters, what is the easiest way to do it?

Part 3 - Use a Report Card in a Report
Create a report that has the Windows eport card.

Part 3: Task 1 - Create a Windows Server Report Card

Create a report card that includes the Windows Report Card and have it run at 9:30AM U.S. Eastern Time.
[email protected].
Deliver it to e

Step-by-step Instructions:

1. Click on Dashboard and A

ssurance Report Cards.

2. Click on +Add.

3. Click in box labeled Search Templates, and type “Windows Server”.

4. Click on the arrow to the right of W

indows Servers.

5. Click on Every day to the right of Schedule.

6. Click on the box underneath T

ime and set the time to 9:30.

7. Click in the box underneath Time Zone a

nd type America/New and select A
merica/New York.

8. Click on Add.

Part 3: Task 2 - Create a report and insert the report card
Create a report that includes the Windows Report Card and have it run at 9:30AM U.S. Eastern Time on
[email protected].
mondays. Deliver it to e

Step-by-step Instructions:

1. Click R
eporting a
nd select Reports.

2. Click +
Add.

3. Click P
DF.

4. Click in the box to the right of N

ame and type Windows Server Report Card Report.

9. Type Click O
n Demand to the right of Schedule.

10. Click O
n Demand u
nderneath Frequency and select Weekly.

11. Click the T

ime box select 09:30.

13. If there are any other days highlighted, click them to remove them.

14. Click D
efinition.

15. Click +
Add Chapter.

16. Type W
indows Server Report Card i n the Name box.

17. Click S
ubmit.

18. Mouse over W

indows Server Report Card a
nd click +Add E
lement.

19. Click A
ssurance Report Card.

20. Type W
indows Server Report Card in the N
ame box.

21. Click the box to the right of A

ssurance Report Card and select Windows Servers.

22. Click S
ubmit.

23. Click S
ubmit.

24. Click the L

aunch button to the right of W
indows Server Report Card.

25. Click R
eport Results and wait for the report to finish.

26. Click the D

ownload b
utton to the right of Windows Server Report Card..

27. Click R
eport Results. When the report downloads, view the file with a PDF reader.

Challenge Questions:

1. What is different in this report when compared to what you saw on the screen?

2. If we ran this report on Tuesday, would it update with new results?

Part 4 - Create Report Cards with Policy Statements
Create a report card with two policy statements: 1) Less than 30% of hosts have compliance failures, and 2)
There are no compliance failures more than 60 days old.

Part 4: Task 1 - Create a Compliance Report Card with First Policy

Create a report card named Compliance and add one policy for no more than 30% of hosts have compliance
failures.

Step-by-step Instructions:

1. Click D
ashboard and select A
ssurance Report Cards.

2. Click O
ptions a
nd select Advanced Add.

3. Type C
ompliance Report Card.

4. Click E
very day n
ext to S
chedule.

5. Click D
aily underneath F requency a
nd select Monthly.

7. Click the D
ay box and select the first day of next month.

8. Click +
Add Policy Statement.

9. Type N
o more than 30% of hosts have compliance failures.

10. Click R
atio(x/y) and select P
ercentage (%).

11. Click +
Add Filter to the right of B
ase Filters.

12. Click S
elect a Filter a
nd select Repositories.

13. Select the checkboxes next to active-scanning-compliance and C

ompliance.

14. Click the c heck mark to the right.

15. Click +
Add Filter to the right of Compliant Filters.

16. Click S
elect a Filter a
nd type severity.

17. Click S
everity.

18. Check the box to the left of H

igh.

19. Click the c heck mark to the right.

20. Click the A

ll drop-down to the right of C
ompliant Condition and select <
=.

21. Click the box with the 0

and type 30.

22. Click +
Add Filter t o the right of Drilldown Filters.

23. Click S
elect a Filter a
nd type severity.

24. Select S
everity.

25. Click the c heck box to the left of H

igh.

26. Click the c heck mark.

27. Click S
ubmit.

28. Click S
ubmit once more.

29. Click D
ashboard and select A
ssurance Report Cards.

30. Wait for the C

ompliance Report Card t o finish.

Challenge Questions:

1. Are there any potential concerns with the way this policy was written that could cause inaccuracies?

2. If so, how could you resolve those concerns?

1. Click D
ashboard and select A
ssurance Report Cards.

2. Click O
ptions a
nd select Manage ARCs.

3. Click the g
ear icon to the right of C
ompliance Report Card and select Edit.

4. Click +
Add Policy Statement.

5. Type N
o compliance failures more than 60 days old.

6. Click R
atio (x/y) and select Compliant/Non-Compliant.

7. Click +
Add Filter to the right of B
ase Filters.

8. Click S
elect a Filter, t ype repositories and select Repositories.

9. Select the check boxes to the left of active-scanning-compliance a

nd C
ompliance.

10. Click the c heck mark.

11. Click +
Add Filter t o the right of Compliant Filter.

12. Click S
elect a filter a
nd type severity.

13. Click S
everity.

14. Select the check box to the left of High.

15. Click the c heck mark.

16. Click +
Add Filter u
nderneath S
everity.

17. Click S
elect a Filter a
nd type vulnerability.

18. Select V
ulnerability Discovered.

19. Click W
ithin the Last Day and select C
ustom Range.

20. Replace the 0 t o the right of Between with 60.

21. Delete the number 10 t o the right of a

nd. The entry will then change to all.

22. Click the c heck mark.

23. Click A
ll to the right of C
ompliant Condition and select No.

24. Click +
Add Filter t o the right of Drilldown Filters.

25. Click S
elect a Filter a
nd type severity

26. Select S
everity.

27. Select the check box to the left of High.

28. Click the c heck mark on the right.

30. Click S
elect a Filter a
nd type repositories

31. Select R
epositories.

32. Select the check boxes to the left of active-scanning-compliance and C

ompliance.

33. Click the c heck mark.

34. Click +
Add Filter u
nderneath R
epositories.

35. Click S
elect a Filter a
nd type vulnerability

36. Select V
ulnerability Discovered.

37. Click W
ithin the last day and select Custom Range.

38. Replace the 0 to the right of B

etween with 60.

39. Delete the number 10 t o the right of a

nd. The entry will then change to all.

40. Click the c heck mark.

41. Click S
ubmit.

42. Click S
ubmit once more.

43. Click D
ashboard and select A
ssurance Report Cards and wait for the report card to evaluate.

Challenge Questions:

1. Would changing the order of the filters on any of the policy statements change the results?

2. Would changing the order of the filters on any of the policy statements improve the efficiency of
generating results?

Optional Advanced Problems

This section is optional and can be completed during any free time you may have available while taking this
course.

TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 15:00 MINUTES

Task 1 - Compliance Report Card Policy
Look at the first Compliance Report Card policy. What happens if we change the display on the policy
statement from percentage to ratio? Can you think of cases in which we would use ratios? What cases might
we use percentages for?

Task 2 - Policy Statement
There are three values we can look at under Compliant Condition for any policy statement: 1) Hosts,
2) Vulnerabilities, 3) Ports. What is an example of where you might use port as a compliant condition?

End of Exercises

Part 1: Task 1
1. Does the organization pass on all items on the report card?
● No, they fail on at least 8 items.
2. Look at the statement for item 1. What changes might need to be made depending upon the Tenable.sc
deployment?
● If the customer is not running Nessus Network Monitor or some other passive monitoring
system, statement #1 might be misleading.

Part 1: Task 2
1. Why did we change the asset list on the base filter?
● To only include actively scanned hosts in the population of hosts for the policy statement
2. Will changing this asset list have any impact on the efficiency of the evaluation of this policy
statement?
● Yes, the policy statement should run more quickly, and put less load on Tenable.sc.

Part 2: Task 1
1. Has the organization met their SLA for remediation of critical vulnerabilities?
● No.
2. Why did we add the Repository filter to the Base in the policy statement?
● To eliminate compliance results.
3. Why didn’t we add the Repository filter to the Compliant condition section?
● Any filter in the Base is automatically applied to the Compliant section.

Part 2: Task 2
1. Does the organization meet their SLA for high vulnerabilities?
● No
2. If we wanted to create this same report for just headquarters, what is the easiest way to do it?
● Copy the SLA Report Card. Then rename the report card and change the focus range to the
asset list companyname-hq. Then click the pin on the report card to show it, and go to
Dashboards/Assurance Report Cards.

Part 3: Task 2
1. What is different in this report when compared to what you saw on the screen?
● The Compliant/Non-compliant column we saw on the dashboard is not in the report.
2. If we ran this report on Tuesday, would it update with new results?
● No, the report only copies the results from the report card, which only updates once per week.

Part 4: Task 1
1. Are there any potential concerns with the way this policy was written that could cause inaccuracies?
● Yes, if non compliance (a.k.a. vulnerability) data were accidentally placed in the
active-scanning-compliance or Compliance repositories, the results would be inaccurate.
2. If so, how could you resolve those concerns?
● In the Compliant filter and the Drilldown filter add an additional item for Plugin Type
Compliance.

Part 4: Task 2
1. Would changing the order of the filters on any of the policy statements change the results?
● No, as long as all the filters were the same.
2. Would changing the order of the filters on any of the policy statements improve the efficiency of
generating results?
● Yes. Typically when you create filters, you want the order to be the filters that eliminate
greater data from additional queries first. For example, placing repositories first rather (thus
eliminate all the data from a given repository) than later will improve efficiency.

Lab Exercise 17: Alerts Overview

At the end of this exercise, you will be able to:

● Create an alert that generates an email
● Create an alert that launches a scan of any hosts that have not been scanned in the last 7 days
● Create an alert that generates a report that is delivered to an email address

If you complete the advanced topics, you will be able to:
● Create an alert to warn of an unresponsive host
● Create an alert to warn of too many or too few open ports

TOTAL ESTIMATED LAB TIME: 30:00 MINUTES

Part 1 - Create Alerts for the Security Team
The Security team has set up credentialed scanning of the majority of their network. Scans are completed by
8:00AM U.S. Eastern Time each day. They would like to receive an email when a new VPR 9 or higher item has
been identified. They would also like to launch a scan of any hosts that have not been scanned in the last seven
days. The Compliance team has asked to receive a report if there are any compliance failures more than 60 days
old. System Administrators would like an email when credentials fail during a scan that includes the host where
the credentials failed, so they can be proactive and fix the credential issues.

Create two alerts. The first sends an email notifying the Security team if there have been any newly discovered
(within the last 24 hours) VPR 9 or higher items. The second alert scans any hosts that have not been scanned
(credentialed or non-credentialed) in the last seven days and then sends an email with the hosts that have not
been scanned.

Part 1: Task 1 - Create Alerts
Create an alert that sends an email if there are newly discovered VPR 9 or higher items.

Step-by-step Instructions:

1. Click W
orkflow and select Alerts.

2. Click +
Add i n the upper right corner.

3. In the Name b
ox, type There are New VPR 9 or higher vulnerabilities

4. Click E
very day to the right of Schedule.

5. From the T
ime drop-down list select 08:30.

6. Under the C
ondition section, click +
Add Filter to the right of Filters.

7. Click S
elect a Filter a
nd select Vulnerability Priority Rating.

8. Click A
ll and select Custom Range.

9. Replace the 0 to the right of Between with 9

10. Click the c heck mark to the right.

12. Click S elect a Filter and select V

ulnerability Discovered. Leave the default setting of W
ithin the last
day.

13. Click the c heck mark on the right.

14. Under the A

ctions section, click A
dd Actions.

15. Click E
mail.

16. In the Subject box, replace Email Alert with New VPR 9 or Higher Items.

17. In the Message box, delete everything.

18. In the Message box, type There are newly discovered VPR 9 or higher items that have been discovered
with last night’s scans.

19. In the Email Addresses box, type s [email protected]

20. Click S
ubmit.

21. Scroll down and click S

ubmit.

Challenge Questions:

1. The email that this alert generates does not send out a list of hosts. What options are there available
to send out a list of hosts?

2. What advantages are there to the various options?

Part 1: Task 2 - Create an Alert to Launch a Scan
Create an alert that launches a scan of any hosts that have not been scanned in the last 7 days and sends
an email with the list of hosts.

Step-by-step Instructions:

1. Click S
cans and select Active Scans.

2. Locate C
ompanyname-hq Credentialed Scan, click the gear icon to the right and select Copy.

3. Locate Copy of Companyname-hq Credentialed Scan, click the g

ear i con to the right and select Edit.

4. Click the N
ame box. Delete what is there and replace it with Credentialed vulnerability scan template
for alerts

5. Click S
ubmit.

6. Click W
orkflow.

7. Click A
lerts.

8. Click +
Add.

9. In the Name box, type H

osts that have not been scanned in the last 7 days

10. Click E
very day at to the right of S
chedule.

11. Click the T

ime drop-down list and select 08:30.

12. Under the C

ondition section click +
Add Filter.

14. Click the box to the right of =

and type 19506

15. Click the c heck mark to the right.

16. Click +
Add Filter.

17. Click S
elect a Filter and select V
ulnerability Last Observed.

18. Click W
ithin the last day and select More than 7 days ago.

19. Click the c heck mark.

20. Click +
Add Actions.

21. Click L
aunch Scan.

22. Click S
elect a Scan and select C
redentialed vulnerability scan template for alerts.

23. Click S
ubmit.

24. Click +
Add Actions.

25. Click E
mail.

26. In the Subject box, replace Email Alert with Hosts that have not been scanned in the last 7 days

27. Click the slider to turn on Include Results.

28. Type s [email protected] in the Email Addresses box.

29. Click S
ubmit.

30. Click S
ubmit once more.

Challenge Questions:

1. Why did we use the filter for Plugin ID 19506?

2. Why did we use Vulnerability Last Observed, instead of Vulnerability Discovered?

3. What is the target range of the scan that is used in this alert? What hosts are actually scanned when
this scan is triggered via an alert?

Part 2 - Create Alerts that Generate Reports
Create an on demand report that lists compliance failures that are more than 60 days old that are
automatically sent to the Compliance team via email. Then, set an alert that runs the report if there are any
compliance failures more than 60 days old.

Part 2: Task 1 - Create a Report
Create a report that lists compliance failures that are more than 60 days old.

Step-by-step Instructions:

1. Click R
eporting a
nd select Reports.

2. Click +
Add.

4. In the Name box, type C

ompliance Failures more than 60 days old

5. Click D
efinition.

6. Click A
dd Chapter.

7. In the Name box, type C

ompliance Failures more than 60 days old

8. Click S
ubmit.

9. Mouse over C
ompliance Failures more than 60 days old and click Add Element.

10. Click T
able.

11. In the Name box, type C

ompliance Failures more than 60 days old

12. Click V
ulnerability Summary and select Vulnerability List.

13. Click +
Add Filter.

14. Click S
elect a Filter a
nd select Plugin Type.

15. Select the radio button to the left of C

ompliance.

16. Click the c heck mark.

17. Click +
Add Filter.

18. Click S
elect a Filter and select V
ulnerability Discovered.

19. Click W
ithin the Last Day a
nd select Custom Range.

20. Click the 0

to the right of B
etween and replace it with 6
0.

21. Delete the 1 0 to the right of and. The entry will change to a
ll.

22. Click the c heck mark on the right.

23. Scroll down to D

isplay Columns and uncheck the boxes for:

a. Family
b. VPR
c. MAC Address
d. Repository

24. Click S
ubmit.

25. Click S
ubmit once more.

Challenge Questions:

1. Why did we uncheck the VPR and Family items from the report?

2. Why did we use Vulnerability Discovered instead of Vulnerability Last Observed in the filter?

1. Click W
orkflow and select A
lerts.

2. Click +
Add.

3. In the Name b
ox, type Compliance failures more than 60 days old

4. Click E
very day at to the right of S
chedule.

5. In the Time b
ox, select 08:00.

6. Under the C
ondition section, click +
Add Filter.

7. Click S
elect a Filter a
nd select Plugin Type.

8. Select the radio button to the left of C

ompliance.

9. Click the c heck mark.

10. Click +
Add Filter.

11. Click S
elect a Filter and select V
ulnerability Discovered.

12. Click W
ithin the Last Day a
nd select Custom Range.

13. Click the 0

to the right of B
etween and replace it with 6
0.

14. Delete the 1 0 to the right of and. The entry will change to a
ll.

15. Click the c heck mark on the right.

16. Click +
Add Actions.

17. Click L
aunch Report.

18. Click S
elect a Report Template.

19. Select C
ompliance Failures more than 60 days old.

20. Click S
ubmit.

21. Scroll down and click S

ubmit.

Challenge Questions:

1. Will the compliance team receive a report via email when there is a compliance failure more than 60
days old?

2. What would you change to have them receive the report via email?

1. Click A
nalysis a
nd select Vulnerabilities.

2. Click the >

> on the left to open Filters.

3. Click C
lear Filters, if it is shown.

4. Click S
elect Filters.

5. Search for P
lugin ID.

6. Select the check box next to P

lugin ID.

7. Click A
pply.

8. Underneath P
lugin ID, click A
ll. Type 104410 i n the box to the right of =.

9. Click O
K.

10. Click S
elect Filters.

11. Type o
bserved

12. Select the check box to the left of Vulnerability Last Observed.

13. Click A
pply.

14. Click A
ll underneath Vulnerability Last Observed.

15. Click the A

ll drop-down list and select W
ithin the last day.

16. Click O
K.

17. Click A
pply All.

18. Click O
ptions (at the top right) and select S
ave Query.

19. In the Name box, type C

redential Failures in the Last 24 Hours

20. In the Tag b

ox, type Queries for Alerts

21. Click S
ubmit.

Challenge Questions:

1. How often is this query run in Tenable.sc?

2. If we were performing weekly scans instead of daily, would this query work to identify scans with
credential failures? If not, how would you fix it?

3. Are there other queries that could be created to identify scans where credentials have failed?

1. Click W
orkflow and select Alerts.

2. Click +
Add.

3. In the Name box, type C

redentialed Scan Failures

4. Click E
very day at to the right of S
chedule.

5. From the T
ime drop-down list, select 08:30.

6. Under C
ondition, click Select a Query and select Credential Failures in the Last 24 Hours.

7. Click +
Add Actions.

8. Click E
mail.

9. In the Subject box, replace the text with C

redentialed Scan Failures

10. In the Message box, replace the text with T

here have been credentialed scan failures in the last 24
hours, below are the hosts where credentials have failed.

11. Click the I nclude results toggle to turn it on.

12. In the Email Addresses b

ox, type s [email protected]

13. Click S
ubmit.

14. Click S
ubmit.

Challenge Questions:

1. If you were to modify the filters on this alert, would it modify the saved query?

2. What would you do if you wanted to generate a PDF report containing this information and deliver it to
the same email address?

Optional Advanced Problems

This section is optional and can be completed during any free time you may have available while taking this
course.
TOTAL ESTIMATED OPTIONAL EXERCISE TIME: 25:00 MINUTES

Task 1 - Create a Warning Alert

We have a web server running on a host on port 80 and 443. Could you construct an alert that would warn if
the web server was not responding? If so, how?

Task 2 - Create Another Warning Alert

There is another server that has 24 ports open all the time, no more, no less. How would you construct an
alert to warn if there were too few, or too many, ports open?

End of Exercises

COPYRIGHT 2021 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE, TENABLE.IO, TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG
CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE.SC, TENABLE.OT, LUMIN, INDEGY, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE,
INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS.

Answer Key

Part 1: Task 1
1. The email that this alert generates does not send out a list of hosts, what options are there available
to send out a list of hosts?
● If the Include Results option is enabled in the alert, a CSV file is sent inside the mail. You could
also create a PDF or RTF report template with the information with distribution to emails
defined, then adjust the alert to run the report if triggered.
2. What advantages are there to the various options?
● The CSV file requires less front end work. However, the enable option does not create an
actual attachment, so the user has to cut and paste the data. The launch report option
provides greater reporting options, as well as actually creating an attachment.

Part 1: Task 2
1. Why did we use the filter for Plugin ID 19506?
● Plugin ID 19506’s name is Nessus Scan Information and it will appear for every host using any
templated scan policy. Plugin ID 19506 is a good plugin to use for filtering to pull information
about the scan, as well as using the date filters to identify when the host was first, and most
recently scanned.
2. Why did we use Vulnerability Last Observed, instead of Vulnerability Discovered?
● In this case, we want to identify when the host was most recently scanned. The Vulnerability
Last Observed filter for plugin ID 19506 will identify when the host was most recently scanned.
3. What is the target range of the scan that is used in this alert? What hosts are actually scanned when
this scan is triggered via an alert?
● The actual scan definition uses the companyname-hq asset list. When launching a scan from a
triggered alert, the target range for the scan is defined as the host(s) that triggered the alert,
not what is defined in the scan itself.

Part 2: Task 1
1. Why did we uncheck the VPR and Family items from the report?
● VPR is not relevant to compliance checks, and plugin family is not going to provide any useful
information other than it is a compliance check.
2. Why did we use Vulnerability Discovered instead of Vulnerability Last Observed in the filter?
● Vulnerability Last Observed will return the most recent time the vulnerability was identified in
the host. In this case we want to identify how long the vulnerability has been on the host, so
we use the vulnerability discovered box.

Part 2: Task 2
1. Will the compliance team receive a report via email when there is a compliance failure more than 60
days old?
● No, the report will be generated, and available for download, but it will not be delivered via
email.
2. What would you change to have them receive the report via email?
● Change the Distribution options in the report so it delivers the report to the Compliance team
when run. Adding an email option in the alert will only tell the Compliance team that the alert
has triggered. If the Include Results option is turned on, it will send them a CSV, not the report
that was run.

Part 3: Task 1
1. How often is this query run in Tenable.sc?
● This query is only run when some other object calls it or a user loads the query. Saved Queries
in Tenable.sc do not automatically evaluate.
2. If we were performing weekly scans instead of daily, would this query work to identify scans with
credential failures? If not, how would you fix it?
● Yes. Because the check frequency (daily) and the date period on the query (last 24 hours) are
more frequent than the scan frequency, if credentials fail as a result of a scan, they will be
identified with the alert. However, this is not an efficient use of Tenable.sc resources, because
we know six of the seven times this alert is evaluated it will, without question, not trigger,

Part 3: Task 2
1. If you were to modify the filters on this alert, would it modify the saved query?
● No. The query would remain unchanged. When selecting a query for any object, it retrieves the
filter settings for that query and populates the appropriate boxes in the object. The saved
query itself remains unchanged.
2. What would you do if you wanted to generate a PDF report containing this information and deliver it to
the same email address?
● Create a PDF report that contains the information desired, set the distribution to the desired
email address, and then add Launch Report to the alert.

Lab Exercise 18: Course Evaluation

At the end of this exercise, you will be able to:
● Log into Tenable University
● Update your profile
● Set the minimum settings for the lab environment
● Complete the feedback survey
● Download the Certificate of Attendance

TOTAL ESTIMATED LAB TIME: 5:00 MINUTES

Part 1 - Update Settings, Complete Survey and Download Certificate
You will log in to Tenable University, update your profile and set the minimum settings for your lab
environment. Next, you will complete the feedback survey and then download your Certificate of Attendance.

Part 1: Task 1 - Log into Tenable University and Confirm your Name and Time Zone
Log into Tenable University and confirm your name and time zone. N
ote: This task only needs to be
completed if you have not previously updated your profile.

Step-by-step Instructions:

1. Navigate to https://university.tenable.com/ using an HTML5-compliant browser.

2. Click the M
enu button (three lines in the upper left corner) from the main dashboard.

3. Click the E
dit (pencil) icon.

4. Click My Profile.

5. Verify both your F irst Name and Last Name appear correctly.

6. Fill out any other required fields marked by a red asterisk (*) .

7. Scroll down and click Preferences.

8. View the Time Zone setting and change if necessary.

9. Click Save Changes if you made any modifications.

10. Click the Tenable logo i n the upper left corner.

Part 1: Task 2 - Complete the Feedback Survey

Step-by-step Instructions:

1. Navigate to the Feedback Survey.

2. Complete the survey to provide us with valuable feedback.

End of Exercises

About

About Tenable
Tenable®, Inc. is the Cyber Exposure company. Over 30,000 organizations around the globe rely
on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended
its expertise in vulnerabilities to deliver the world’s ﬁrst platform to see and secure any digital
asset on any computing platform. Tenable customers include more than 50 percent of the
Fortune 500, more than 30 percent of the Global 2000 and large government agencies. Learn
more at www.tenable.com.

For more information about Tenable Customer Education, visit us at:

tenable.com/education

Rev 021621

Trend Vision One XDR Advanced - Lab Guide - V1 3
No ratings yet
Trend Vision One XDR Advanced - Lab Guide - V1 3
7 pages
Trend Vision One XDR Advanced - Student Guide - V1
No ratings yet
Trend Vision One XDR Advanced - Student Guide - V1
46 pages
Cortex XDR Handson Workshop Lab Guide
No ratings yet
Cortex XDR Handson Workshop Lab Guide
64 pages
Cortex XDR Pro Admin
No ratings yet
Cortex XDR Pro Admin
974 pages
Fortinet FCP - FortiGate 7.4 Administrator Exam Preparation
From Everand
Fortinet FCP - FortiGate 7.4 Administrator Exam Preparation
Georgio Daccache
No ratings yet
IBM Security QRadar SIEM Foundations
100% (1)
IBM Security QRadar SIEM Foundations
256 pages
SLIDE HANDOUT - Tenable - SC Specialist Course
100% (1)
SLIDE HANDOUT - Tenable - SC Specialist Course
115 pages
PCSAE Guide
No ratings yet
PCSAE Guide
95 pages
Trend Micro Apex One Training For Certified Professionals - Student Guide v4.2
No ratings yet
Trend Micro Apex One Training For Certified Professionals - Student Guide v4.2
402 pages
Prisma Cloud Reference Architecture Compute
No ratings yet
Prisma Cloud Reference Architecture Compute
64 pages
Deep Discovery Advanced Threat Detection 2.1 Training For Certified Professionals - Student Book
No ratings yet
Deep Discovery Advanced Threat Detection 2.1 Training For Certified Professionals - Student Book
562 pages
Forcepoint DLP Admin Guide
No ratings yet
Forcepoint DLP Admin Guide
496 pages
Siemonster v3 Operations Guide v20
No ratings yet
Siemonster v3 Operations Guide v20
107 pages
Creating and Managing Active Directory Groups and Organizational Units (Ous)
No ratings yet
Creating and Managing Active Directory Groups and Organizational Units (Ous)
16 pages
Siemens NX Shop Docs
No ratings yet
Siemens NX Shop Docs
5 pages
The Ultimate C - C - GRCAC - 12 - SAP Certified Application Associate - SAP Access Control 12.0
100% (1)
The Ultimate C - C - GRCAC - 12 - SAP Certified Application Associate - SAP Access Control 12.0
2 pages
Ibm Training: Ibm Security Qradar Siem 7.2 Foundations
No ratings yet
Ibm Training: Ibm Security Qradar Siem 7.2 Foundations
61 pages
InsightVM SlideDeck PDF
No ratings yet
InsightVM SlideDeck PDF
191 pages
TenableSC Guide
No ratings yet
TenableSC Guide
147 pages
Vlab Demo - Using ASM For Web Vulnerabilities - v12.0.C PDF
No ratings yet
Vlab Demo - Using ASM For Web Vulnerabilities - v12.0.C PDF
22 pages
Tenable SecurityCenter 4.2 5.x DEMO - Key
No ratings yet
Tenable SecurityCenter 4.2 5.x DEMO - Key
1 page
Deep Discovery 4.1 Advanced Threat Detection Certified Professional - Student Guide
No ratings yet
Deep Discovery 4.1 Advanced Threat Detection Certified Professional - Student Guide
512 pages
Elastic Siem Fundamentals: An Elastic Training Course
No ratings yet
Elastic Siem Fundamentals: An Elastic Training Course
32 pages
LAB - Creating Rules
No ratings yet
LAB - Creating Rules
31 pages
SEC201.2 Linux Fundamentals
No ratings yet
SEC201.2 Linux Fundamentals
213 pages
B Qradar Admin Guide
No ratings yet
B Qradar Admin Guide
448 pages
Authentication Integration With Aruba Clearpass
No ratings yet
Authentication Integration With Aruba Clearpass
24 pages
Tenable and Splunk Integration Guide
No ratings yet
Tenable and Splunk Integration Guide
66 pages
Nessus Credential Checks
No ratings yet
Nessus Credential Checks
18 pages
Prisma Cloud Demo Guide
No ratings yet
Prisma Cloud Demo Guide
14 pages
Nessus Tutorial
No ratings yet
Nessus Tutorial
14 pages
IBM Qradar Users Guide
No ratings yet
IBM Qradar Users Guide
267 pages
B Qradar Users Guide
No ratings yet
B Qradar Users Guide
216 pages
7 Palo+Alto++Cortex+XDR+ +glenn
No ratings yet
7 Palo+Alto++Cortex+XDR+ +glenn
35 pages
Trend Micro Apex One Training For Certified Professionals - Ebook v4.2
100% (1)
Trend Micro Apex One Training For Certified Professionals - Ebook v4.2
590 pages
Automated Threat Detection and Response (ATDR) : Customer Presentation
No ratings yet
Automated Threat Detection and Response (ATDR) : Customer Presentation
16 pages
SOAR in Cybersecurity
No ratings yet
SOAR in Cybersecurity
7 pages
SOC Kaspersky PDF
50% (2)
SOC Kaspersky PDF
34 pages
QRadar WinCollect User Guide 7.2.2 en
No ratings yet
QRadar WinCollect User Guide 7.2.2 en
55 pages
EDU-EN-NSXTIS31-LAB-SE
No ratings yet
EDU-EN-NSXTIS31-LAB-SE
110 pages
FortiWeb 6.4 Study Guide-Online (1) Compressed
100% (1)
FortiWeb 6.4 Study Guide-Online (1) Compressed
552 pages
User Guide: Ibm Qradar User Behavior Analytics (Uba) App
No ratings yet
User Guide: Ibm Qradar User Behavior Analytics (Uba) App
294 pages
Insight VM
No ratings yet
Insight VM
72 pages
SOAR QRadar Integration Guide
No ratings yet
SOAR QRadar Integration Guide
38 pages
(Linux) Apache Web Server Admi 84492
No ratings yet
(Linux) Apache Web Server Admi 84492
117 pages
Nessus Scan Tuning Guide
No ratings yet
Nessus Scan Tuning Guide
34 pages
BIG-IP Global Traffic Manager Implementations
No ratings yet
BIG-IP Global Traffic Manager Implementations
153 pages
Cortex Hands On Investigation and Threat Hunting Workshop
No ratings yet
Cortex Hands On Investigation and Threat Hunting Workshop
57 pages
Splunk Test Blueprint Soar Automation Developer
No ratings yet
Splunk Test Blueprint Soar Automation Developer
5 pages
Algosec Security Management Suite
No ratings yet
Algosec Security Management Suite
4 pages
Apex One Best Practices Guide For Malware Protection (1) - 20191021
No ratings yet
Apex One Best Practices Guide For Malware Protection (1) - 20191021
31 pages
DeepDiscovery CertProf Student Manual FINAL Feb 19 v2
No ratings yet
DeepDiscovery CertProf Student Manual FINAL Feb 19 v2
460 pages
Manage Microsoft Sentinel Incidents Slides
No ratings yet
Manage Microsoft Sentinel Incidents Slides
17 pages
Lessons From The Lab: An Expert Guide To Trickbot, Darkside & Other Malware of 2021
No ratings yet
Lessons From The Lab: An Expert Guide To Trickbot, Darkside & Other Malware of 2021
22 pages
Splunk-Overview - SIEM
No ratings yet
Splunk-Overview - SIEM
44 pages
Deep Discovery Email Inspector 5.1 Best Practice Guide
No ratings yet
Deep Discovery Email Inspector 5.1 Best Practice Guide
102 pages
NSE Partner Guide 102015
No ratings yet
NSE Partner Guide 102015
13 pages
Nessus 7.1.x User Guide: Last Updated: March 26, 2019
No ratings yet
Nessus 7.1.x User Guide: Last Updated: March 26, 2019
387 pages
Setting Up Splunk For Vmware Monitoring: Proven Practice Guide
No ratings yet
Setting Up Splunk For Vmware Monitoring: Proven Practice Guide
18 pages
Kaspersky security center
From Everand
Kaspersky security center
Mohammed Haytham Khabbaz samkary
No ratings yet
Configuring IPCop Firewalls: Closing Borders with Open Source
From Everand
Configuring IPCop Firewalls: Closing Borders with Open Source
Barrie Dempster
No ratings yet
The Official (ISC)2 Guide to the CCSP CBK
From Everand
The Official (ISC)2 Guide to the CCSP CBK
Gordon
No ratings yet
Multimedia in Embedded Linux Guide
100% (1)
Multimedia in Embedded Linux Guide
75 pages
Wizikey - Assignment
No ratings yet
Wizikey - Assignment
3 pages
User'S Manual Query/Monitor: Niceuniverse Compact
No ratings yet
User'S Manual Query/Monitor: Niceuniverse Compact
194 pages
DVD Home Cinema System: Owner'S Manual
No ratings yet
DVD Home Cinema System: Owner'S Manual
45 pages
Meikandan Resume
No ratings yet
Meikandan Resume
4 pages
ENOVIASynchronicityDesignSyncDataManager AdvancedCommandsQuickReference V6R2011x
No ratings yet
ENOVIASynchronicityDesignSyncDataManager AdvancedCommandsQuickReference V6R2011x
9 pages
Cyber Awareness: Quick Heal Foundation Std. V - VII
No ratings yet
Cyber Awareness: Quick Heal Foundation Std. V - VII
15 pages
40Y S4HANA2022 Set-Up EN XX
No ratings yet
40Y S4HANA2022 Set-Up EN XX
10 pages
Soundcloud An Online Music Sharing Platform: Social Media Presentation by Aaron S. Hobgood
No ratings yet
Soundcloud An Online Music Sharing Platform: Social Media Presentation by Aaron S. Hobgood
11 pages
IT MCQ
No ratings yet
IT MCQ
2 pages
Doctor Appointment Project
No ratings yet
Doctor Appointment Project
37 pages
Your User Manual Yamaha Rx-V550
No ratings yet
Your User Manual Yamaha Rx-V550
2 pages
Facebook For Realtors
100% (1)
Facebook For Realtors
44 pages
InboxDollars Media Kit
No ratings yet
InboxDollars Media Kit
14 pages
CDN and VOD Principles Overview
No ratings yet
CDN and VOD Principles Overview
10 pages
Document Scanning On Windows C# With An Incremental Custom Progress UI - Stack Overflow
No ratings yet
Document Scanning On Windows C# With An Incremental Custom Progress UI - Stack Overflow
3 pages
ZaxConvert Quick Start Guide
No ratings yet
ZaxConvert Quick Start Guide
3 pages
DT-15 Hardware Software Guide
No ratings yet
DT-15 Hardware Software Guide
4 pages
Chapter 4 Online Platforms For ICT Content Development
100% (1)
Chapter 4 Online Platforms For ICT Content Development
57 pages
Enable File Access Auditing in Windows
No ratings yet
Enable File Access Auditing in Windows
7 pages
The One Page Linux Manual
No ratings yet
The One Page Linux Manual
2 pages
Understanding The 1VPP Composite Video S
No ratings yet
Understanding The 1VPP Composite Video S
4 pages
Ejemplo 2 Factura Amz PDF
No ratings yet
Ejemplo 2 Factura Amz PDF
3 pages
Pega Co Browse 74 Implementation Guide 0
No ratings yet
Pega Co Browse 74 Implementation Guide 0
17 pages
Manual de Interface Audio: © ZOOM Corporation Está Prohibida La Reproducción de Este Manual, Tanto Parcial Como Completa
No ratings yet
Manual de Interface Audio: © ZOOM Corporation Está Prohibida La Reproducción de Este Manual, Tanto Parcial Como Completa
34 pages
C Eoffice Document
No ratings yet
C Eoffice Document
28 pages
Synopsis Online Air Ticket Booking
No ratings yet
Synopsis Online Air Ticket Booking
20 pages